A SonarQube-like static analysis CLI for multi-language repositories.
Project description
supersonar
supersonar is a lightweight, SonarQube-inspired static analysis CLI for multi-language repositories.
It is designed for local use and CI pipelines via pip install (Python 3.10+).
Supported Languages
- Python
- Java
- JavaScript / React (
.js,.jsx,.ts,.tsx) - Go
Quick start
pip install .
supersonar scan . --format json
Pipeline install (pip)
Use an isolated environment in CI:
python -m venv .venv
. .venv/bin/activate
python -m pip install --upgrade pip
python -m pip install supersonar
supersonar --version
supersonar scan . --format sarif --out reports/supersonar.sarif
Or install from repository source directly:
python -m pip install "git+https://github.com/mortaccio/supersonar.git@main"
The scanner performs real code checks (AST + regex), including:
- dynamic execution (
eval/exec) - broad exception handlers
subprocess.*(..., shell=True)in Python- unsafe
yaml.load(...)in Python - cross-language readability checks (line too long, trailing whitespace, oversized file)
- duplicate-code block detection (repeated multi-line chunks)
- Java package naming convention checks (
lower.case.package) - Java type naming convention checks (
UpperCamelCase) - Java class/file naming consistency checks (
MyClassinMyClass.java) - Java method naming convention checks (
lowerCamelCase) - Java constant naming convention checks (
UPPER_SNAKE_CASE) - Java complexity checks (too many method parameters, very long methods, deep nesting)
- Java coupling/cohesion checks (high import fan-out, classes with too many methods, low cohesion)
- Python naming checks (snake_case functions, UpperCamelCase classes)
- Python complexity checks (too many parameters, very long functions, deep nesting)
- Python coupling/cohesion checks (high import fan-out, classes with too many methods, low cohesion)
- JavaScript/React checks (function/component naming, too many parameters, long functions, deep nesting)
- Go checks (package/function naming, too many parameters, long functions, deep nesting, import fan-out)
- hardcoded secret-like assignments
- private key block markers (for example
BEGIN ... PRIVATE KEY) - TODO/FIXME markers
- unresolved merge conflict markers
Python files use AST rules. Other file types use generic cross-language text rules.
CI usage
pip install supersonar
supersonar scan . \
--format sarif \
--out reports/supersonar.sarif \
--fail-on high \
--max-high 0 \
--max-critical 0 \
--coverage-xml coverage.xml \
--min-coverage 80
Config (supersonar.toml)
[scan]
exclude = [".git", ".venv", "venv", "build", "dist", "__pycache__"]
include_extensions = [".py", ".java", ".js", ".jsx", ".ts", ".tsx", ".go", ".rs", ".cs", ".yaml", ".yml", ".json", ".toml"]
include_filenames = ["Dockerfile", "Jenkinsfile", "Makefile"]
max_file_size_kb = 1024
skip_generated = true
inline_ignore = true
disabled_rules = []
# enabled_rules = ["SS001", "SS003"]
coverage_xml = "coverage.xml"
[quality_gate]
fail_on = "high"
max_issues = 200
max_files_with_issues = 25
max_high = 0
max_critical = 0
min_coverage = 80.0
baseline_report = "reports/supersonar-baseline.json"
only_new_issues = true
[report]
format = "json"
Use CLI overrides when needed:
supersonar scan . --include-ext .java --include-ext .kt --include-file Dockerfile
Quality gates
fail_on: fail if any issue exists at/above severitymax_issues: fail if total issues exceed thresholdmax_files_with_issues: fail if number of files with at least one issue exceeds thresholdmax_low,max_medium,max_high,max_critical: per-severity capsmin_coverage: minimum line coverage percentage from Cobertura XMLbaseline_report+only_new_issues: gate only on issues not present in a previous report
Generate coverage.xml in Python projects with:
python -m pip install coverage
coverage run -m pytest
coverage xml -o coverage.xml
Noise control
- Generated artifacts are skipped by default (
target/,.mypy_cache/,.pytest_cache/,.tox/,.nox/,.gradle/,node_modules/, and common binary suffixes). - Use
--include-generatedwhen you explicitly want to scan generated/build outputs. - Inline suppression is supported per line:
# supersonar:ignoreignores all rules on that line.# supersonar:ignore SS001,SS007ignores specific rules on that line.
- Rule-level controls:
--disable-rule SS004(repeatable)--enable-rule SS001 --enable-rule SS003(allowlist mode)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
supersonar-0.3.4.tar.gz
(26.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file supersonar-0.3.4.tar.gz.
File metadata
- Download URL: supersonar-0.3.4.tar.gz
- Upload date:
- Size: 26.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
48bed6dedcf065120de87dfd3142640ce776d4b07cc5cce5adc601963420213d
|
|
| MD5 |
65ec01955128937524cb23fa3c2d0991
|
|
| BLAKE2b-256 |
70830e84e64d7318c133ce5ac61355688aa65d1b8c3f0a1ec2bec5772edb7044
|
File details
Details for the file supersonar-0.3.4-py3-none-any.whl.
File metadata
- Download URL: supersonar-0.3.4-py3-none-any.whl
- Upload date:
- Size: 27.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d4e810258fa6e1d39d34c00dd85c8c1b786b7447f3b8956e7037e09cc5ab18b3
|
|
| MD5 |
4e2f6b050b31e2c7f97b2857463be8d0
|
|
| BLAKE2b-256 |
4560bed51e6609fb9bbc8975ea4c17750e9fdea47b0b021746ac2029c0f7a979
|
