Merge pull request #85 from omics-datascience/feature/sonarqube

Feature/sonarqube

Author: Genarito

.github/workflows/sonarqube-pr.yaml

@@ -0,0 +1,69 @@
+name: SonarQube Analysis on Pull Request
+
+on:
+  pull_request:
+    branches:
+      - main
+      - develop
+      - 'feature/**'
+      - 'bugfix/**'
+      - 'v*'
+    types: [opened, synchronize, reopened]
+
+jobs:
+  sonarqube:
+    name: SonarQube Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for better analysis
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: src/frontend/static/frontend/package-lock.json
+
+      - name: Install Python dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r config/requirements.txt
+
+      - name: Install Node dependencies
+        run: npm --prefix src/frontend/static/frontend ci
+
+      - name: SonarQube Scan
+        uses: sonarsource/sonarqube-scan-action@v6
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        with:
+          args: >
+            -Dsonar.projectKey=omics-datascience_multiomix
+            -Dsonar.organization=omics-datascience
+            -Dsonar.projectName=multiomix
+            -Dsonar.sources=src
+            -Dsonar.exclusions=**/node_modules/**,**/migrations/**,**/__pycache__/**,**/venv/**,**/.venv/**,**/htmlcov/**,**/staticfiles/**,**/*.pyc,**/email/**,**/dist/**
+            -Dsonar.python.version=3.12
+            -Dsonar.javascript.node.maxspace=4096
+            -Dsonar.sourceEncoding=UTF-8
+            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+            -Dsonar.pullrequest.branch=${{ github.head_ref }}
+            -Dsonar.pullrequest.base=${{ github.base_ref }}
+
+      - name: Wait for Quality Gate
+        uses: sonarsource/sonarqube-quality-gate-action@master
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

.gitignore

@@ -12,4 +12,5 @@ src/api_service/experiments/venv
 docker-compose.yml
 src/secretkey.txt
 docker-compose.mauri_dev.yml
-venv
+venv
+.DS_Store

README.md

@@ -3,6 +3,10 @@
 # Multiomix
 
 [![Last Build & Push](https://github.com/omics-datascience/multiomix/actions/workflows/main-wf.yaml/badge.svg)](https://github.com/omics-datascience/multiomix/actions/workflows/main-wf.yaml)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=omics-datascience_multiomix&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=omics-datascience_multiomix)
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=omics-datascience_multiomix&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=omics-datascience_multiomix)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=omics-datascience_multiomix&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=omics-datascience_multiomix)
+[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=omics-datascience_multiomix&metric=coverage)](https://sonarcloud.io/summary/new_code?id=omics-datascience_multiomix)
 
 Cloud-based platform to infer cancer genomic and epigenomic events associated with gene expression modulation.
 

SECURITY.md

@@ -0,0 +1,48 @@
+# Security & Code Quality
+
+Multiomix uses [SonarQube](https://www.sonarsource.com/products/sonarqube/) (via SonarCloud) to ensure code quality and catch maintainability and security issues early in the development process.
+
+SonarQube is a static analysis platform that scans source code for bugs, vulnerabilities, and code quality problems across multiple languages — in our case, Python (Django backend) and TypeScript/JavaScript (React frontend).
+
+> **Heads up:** Since Multiomix is a public repository, its SonarCloud analysis results are [publicly visible](https://sonarcloud.io/project/overview?id=omics-datascience_multiomix) — no login required — including reported vulnerabilities. Keep this in mind: any unresolved security issue detected by SonarQube is effectively public information. We treat this as an additional incentive to address findings promptly.
+
+---
+
+## Pull Request Analysis
+
+Every pull request targeting `main`, `develop`, `feature/**`, or `bugfix/**` branches is automatically scanned by SonarQube via GitHub Actions.
+
+If your changes introduce issues, SonarQube will report warnings with varying severity levels and categories. This information will be visible directly on the PR. For minor issues, they serve as useful guidance to improve your contribution. For more significant problems, Multiomix maintainers will leave a review pointing out what needs to be addressed before the PR can be merged.
+
+---
+
+## Setting Up SonarQube Locally (for contributors and self-hosters)
+
+If you want to run SonarQube analysis on your own fork or deployment, follow these steps:
+
+1. **Create a SonarCloud account** at [sonarcloud.io](https://sonarcloud.io) and log in with your GitHub account.
+
+2. **Create a new project** linked to your fork of the Multiomix repository.
+
+3. **Generate a token**: go to *My Account → Security → Generate Token* and copy it.
+
+4. **Configure the following GitHub Actions secrets** in your repository (*Settings → Secrets and variables → Actions*):
+
+   | Secret | Value |
+   |--------|-------|
+   | `SONAR_TOKEN` | The token generated in the previous step |
+   | `SONAR_HOST_URL` | `https://sonarcloud.io` |
+
+5. Once configured, the workflow defined in `.github/workflows/sonarqube-pr.yaml` will run automatically on every qualifying pull request.
+
+> **Note:** The project key and organization in the workflow (`omics-datascience_multiomix` / `omics-datascience`) correspond to the official Multiomix project. If you're running your own instance, update those values to match your SonarCloud project.
+
+---
+
+## Contact
+
+Found a security issue or have a question about the project?
+
+- Email us at [multiomix@gmail.com](mailto:multiomix@gmail.com)
+- Open an issue on [GitHub](https://github.com/omics-datascience/multiomix/issues)
+- Submit a pull request directly on [GitHub](https://github.com/omics-datascience/multiomix)

sonar-project.properties

@@ -0,0 +1,17 @@
+sonar.projectKey=omics-datascience_multiomix
+sonar.organization=omics-datascience
+sonar.projectName=multiomix
+sonar.projectVersion=1.0
+
+# Sources - scan everything in src/
+sonar.sources=src
+
+# Exclude only node_modules, migrations and build artifacts
+sonar.exclusions=**/node_modules/**,**/migrations/**,**/__pycache__/**,**/venv/**,**/.venv/**,**/htmlcov/**,**/staticfiles/**,**/*.pyc,**/email/**,**/dist/**
+
+# Python settings
+sonar.python.version=3.12
+sonar.sourceEncoding=UTF-8
+
+# JavaScript/TypeScript settings
+sonar.javascript.node.maxspace=4096