Reporting
Formats
In addition to the CLI output, detekt supports 4 different types of output reporting formats. You can refer to CLI or Gradle to find out how to configure these report formats.
HTML
HTML is a human-readable format that can be open through browser. It includes different metrics and complexity reports of this run, in addition to the findings with detailed descriptions and report. Check out the example:
XML
XML is a machine-readable format that can be integrated with CI tools. It is compatible with Checkstyle output.
SARIF
SARIF is a standard format for the output of static analysis tools. It is a JSON format with a defined schema. It is currently supported by GitHub Code Scanning, and we expect more consuming tools will adopt this format in the future.
MD
Markdown is a lightweight markup language for creating formatted text using a plain-text editor. The output structure looks similar to HTML format. About markdown on GitHub.
Relative path
In a shared codebase, it is often required to use relative path so that all developers and tooling
have a consistent view. This can be enabled by CLI option --base-path
or Gradle as the following:
Kotlin DSL
detekt {
basePath.set(projectDir)
}
Groovy DSL
detekt {
basePath = projectDir
}
Note that this option only affects file paths in those formats for machine consumers, namely XML and SARIF.
Merging reports
Gradle 7.4 or higher is required. Earlier Gradle prevent tasks running if they depend on a failing task, so merge tasks will not run if detekt finds issues.
The machine-readable report formats support report merging. Detekt Gradle Plugin is not opinionated in how merging is set up and respects each project's build logic, especially the merging makes most sense in a multi-module project. In this spirit, only Gradle tasks are provided.
At the moment, merging XML and SARIF are supported. You can refer to the sample build script below and
run ./gradlew detekt reportMerge --continue
to execute detekt tasks and merge the corresponding reports.
Groovy DSL
tasks.register("reportMerge", io.gitlab.arturbosch.detekt.report.ReportMergeTask) {
output = project.layout.buildDirectory.file("reports/detekt/merge.xml") // or "reports/detekt/merge.sarif"
}
subprojects {
detekt {
reports.xml.required.set(true)
// reports.sarif.required.set(true)
}
reportMerge.configure {
input.from(tasks.withType(io.gitlab.arturbosch.detekt.Detekt).collect { it.reports.xml.outputLocation }) // or sarif.outputLocation
}
}
Kotlin DSL
val reportMerge by tasks.registering(io.gitlab.arturbosch.detekt.report.ReportMergeTask::class) {
output.set(rootProject.layout.buildDirectory.file("reports/detekt/merge.xml")) // or "reports/detekt/merge.sarif"
}
subprojects {
detekt {
reports.xml.required.set(true)
// reports.sarif.required.set(true)
}
reportMerge {
input.from(tasks.withType<io.gitlab.arturbosch.detekt.Detekt>().map { it.reports.xml.outputLocation }) // or sarif.outputLocation
}
}
Integration with GitHub Code Scanning
If your repository is hosted on GitHub, you can enable SARIF output in your repository. You can follow to the official documentation.
To change the severity level to fail your GitHub Action build configure it in GitHub Settings.
You can follow the example below as a quick start:
jobs:
without-type-resolution:
runs-on: ubuntu-latest
env:
GRADLE_OPTS: -Dorg.gradle.daemon=false
steps:
- name: Checkout Repo
uses: actions/checkout@v3
- name: Setup Java
uses: actions/setup-java@v3
with:
java-version: 11
- name: Run detekt
run: ./gradlew detekt
# Make sure we always run this upload task,
# because the previous step may fail if there are findings.
- name: Upload SARIF to GitHub using the upload-sarif action
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
with:
sarif_file: build/reports/detekt/detekt.sarif
Note: you'll have to set Detekt.basePath
on each Detekt Gradle task,
so that GitHub knows where the repository is to place annotations correctly.
basePath = rootProject.projectDir.absolutePath