Python

All Qodana linters are based on IDEs designed for particular programming languages and frameworks. To analyze Python projects, you can use the following linters:

Qodana for Python is based on PyCharm Professional and licensed under the Ultimate and Ultimate Plus licenses,
Qodana Community for Python is based on PyCharm Community and licensed under the Community license.

To see the list of supported features, you can navigate to the Supported technologies and features section.

Before your start

If your project has external pip dependencies, set them up using the bootstrap key in the qodana.yaml file. For example, if your project dependencies are specified by the requirements.txt file in your project root, in the configuration file add the following line:

bootstrap: pip install -r requirements.txt

Run Qodana

JetBrains IDEs

You can run Qodana in PyCharm and send inspection reports to Qodana Cloud for storage and analysis purposes.

In PyCharm, navigate to Tools | Qodana | Try Code Analysis with Qodana.

On the Run Qodana dialog, you can configure Qodana.

Configuring Qodana in the Run Qodana dialog

This dialog contains the following components:

Name	Description
The `qodana.yaml` file	In the text field, you can set up code analysis used by Qodana in this file. You can learn more about available configuration options
The Send inspection results to Qodana Cloud option	If you want to send reports to Qodana Cloud, you can check this option and paste the project token generated in Qodana Cloud
The Save qodana.yaml in project root option	By checking this option, you can save the Qodana configuration made on this dialog to the `qodana.yaml` file in the project root of your project
The Use Qodana analysis baseline option	Using the baseline feature, you can skip analysis for specific problems

Click Run for analyzing your code.

On the Server-Side Analysis tab of the Problems tool window, see the inspection results.

CI/CD

Before running Qodana, create a Qodana Cloud account. In Qodana Cloud, generate a project token that will be used by Qodana for identifying and verifying a license. In Qodana Cloud, you can review inspection reports.

You can run Qodana using the Qodana Scan GitHub action as shown below.

On the Settings tab of the GitHub UI, create the QODANA_TOKEN encrypted secret and save the project token as its value.
On the Actions tab of the GitHub UI, set up a new workflow and create the .github/workflows/code_quality.yml file.
To inspect the main and master branches, as well as release branches and the pull requests coming to your repository, save this workflow configuration to the .github/workflows/code_quality.yml file:
name: Qodana on: workflow_dispatch: pull_request: push: branches: # Specify your branches here - main # The 'main' branch - master # The 'master' branch - 'releases/*' # The release branches jobs: qodana: runs-on: ubuntu-latest permissions: contents: write pull-requests: write checks: write steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis - name: 'Qodana Scan' uses: JetBrains/qodana-action@v2024.1 env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

More configuration examples are available in the GitHub Actions section.

Make sure that these plugins are installed on your Jenkins instance:

Docker and Docker Pipeline are required for running Docker images,
git is required for git operations in Jenkins projects.

Make sure that Docker is installed and accessible by Jenkins.

If applicable, make sure that Docker is accessible by the jenkins user as described in the Manage Docker as a non-root user section of the Docker documentation.

Create a Multibranch Pipeline project as described on the Jenkins documentation portal.

In the root directory of your project repository, create the Jenkinsfile.

Save this snippet to the Jenkinsfile:

pipeline {
    environment {
        QODANA_TOKEN=credentials('qodana-token')
    }
    agent {
        docker {
            args '''
              -v "${WORKSPACE}":/data/project
              --entrypoint=""
              '''
            image 'jetbrains/qodana-python<-community>:2024.2-eap'
        }
    }
    stages {
        stage('Qodana') {
            steps {
                sh '''qodana'''
            }
        }
    }
}

Make sure that your project repository is accessible by GitLab CI/CD.

In the root directory of your project, create the .gitlab-ci.yml file and save this configuration in it:

qodana:
   image:
      name: jetbrains/qodana-python<-community>:2024.2-eap
      entrypoint: [""]
   cache:
      - key: qodana-2024.1-$CI_DEFAULT_BRANCH-$CI_COMMIT_REF_SLUG
        fallback_keys:
           - qodana-2024.1-$CI_DEFAULT_BRANCH-
           - qodana-2024.1-
        paths:
           - .qodana/cache
   variables:
      QODANA_TOKEN: $qodana_token
   script:
      - qodana --cache-dir=$CI_PROJECT_DIR/.qodana/cache

In this snippet:

The cache keyword configures GitLab CI/CD caches to store the Qodana cache, so subsequent runs will be faster,
The script keyword runs the qodana command and enumerates the Qodana configuration options described in the Shell commands section,
The variables keyword defines the QODANA_TOKEN variable referring to the project token.

Assuming that you have already created your project and build configuration, follow the steps below.

In the TeamCity UI, navigate to the configuration page of a build where you would like to run Qodana.
On the Build Configuration Settings page, navigate to the Build steps page.
On the Build steps page, click the Add build step button.
On the page that opens, select the Qodana runner.
On the New Build Step: Qodana page, click Show advanced options and configure the Qodana runner:
- Step name uniquely identifies this step among other build steps.
- Step ID uniquely identifies this step among other build steps.
- Execute step configures the build condition that will trigger this build step.
- Working directory sets the directory for the build process, see the TeamCity documentation for details. You can leave this field empty if the Checkout directory parameter is specified on the Version Control Settings tab.
- Report ID uniquely identifies the report to let you distinguish between multiple reports when several inspection steps are configured within a single build.
- The Forward reports to TeamCity tests checkbox configures Qodana report availability in the Test tab of the TeamCity UI. Using this option, you can view codebase problems along with other problems detected.
- Linter configures the Qodana linter.
- Version is by default set to Latest.
- Inspection profile defines an inspection profile:
  - Recommended (default) is one of the default profiles.
  - Embedded profile lets you select a default profile, see the Existing Qodana profiles section for details.
  - Path to the IntelliJ profile lets you specify the path to your custom profile. To use this option, make sure that you also configure the custom profile in the qodana.yaml file.
- Cloud Token configures a project token generated in Qodana Cloud.
- Additional Docker arguments configures the arguments accepted by a Docker image, see the Shell commands section for details.
- Additional Qodana arguments lets you extend the default Qodana functionality, see the Options section for details.
Click the Save button.

Command line

You have two options to run Qodana locally: you can either run Qodana CLI or directly use the Docker image of Qodana. As Qodana linters are distributed in Docker containers, Docker needs to be installed on your local machine.
If you are using Linux, you should be able to run Docker under your current non-root user, check the installation page for details.

Here are the examples of how you can run Qodana locally.

            qodana scan \
               -e QODANA_TOKEN="<cloud-project-token>" \
               -l jetbrains/qodana-python<-community>:2024.2-eap
        

Here, the QODANA_TOKEN variable refers to the project token.

If you omit the -l option, the Qodana for Python linter will run by default.

To start, pull the image from Docker Hub (only necessary to get the latest version):

docker pull jetbrains/qodana-python<-community>:2024.2-eap

Start local analysis with source-directory pointing to the root of your project and QODANA_TOKEN referring to the project token:

            docker run \
               -v <source-directory>/:/data/project/ \
               -e QODANA_TOKEN="<cloud-project-token>" \
               jetbrains/qodana-python<-community>:2024.2-eap
        

In your browser, open Qodana Cloud to examine analysis results and reconfigure the analysis, see the Inspection report section for details.

Explore analysis results

JetBrains IDEs

You can load the latest Qodana report from Qodana Cloud to your IDE as explained below.

In your IDE, navigate to Tools | Qodana | Log in to Qodana.
In the Settings dialog, click Log in.
This will redirect you to the authentication page.
Select the Qodana Cloud project to link your local project with.
If you check the Always load most relevant Qodana report option, you will be able to receive the most actual and relevant reports from Qodana Cloud.
In this case, the IDE will search and fetch from Qodana Cloud the report that has the revision ID corresponding to the current revision ID (HEAD). If this report was not found, the IDE will select the previous report with the revision closest to the current revision ID (HEAD). Otherwise, the IDE retrieves the latest available report from Qodana Cloud.
On the Server-Side Analysis tab of the Problems tool window, view analysis results.

Qodana Cloud

Once Qodana analyzed your project and uploaded the analysis results to Qodana Cloud, in Qodana Cloud navigate to your project and review the analysis results report.

To learn more about Qodana report UI, see the Inspection report section.

Extend Qodana configuration

Adjusting the scope of analysis

Out of the box, Qodana provides two predefined profiles hosted on GitHub:

qodana.starter is the default profile and a subset of the more comprehensive qodana.recommended profile,
qodana.recommended is suitable for running in CI/CD pipelines and mostly implements the default PyCharm profile, see the PyCharm documentation for details.

You can customize Qodana profiles using configurations in YAML and XML formats. To learn more about configuration basics, visit the Configure Qodana your way section.

Enabling the baseline

You can skip analysis for specific problems using the baseline feature. Information about a baseline is contained in a SARIF-formatted file.

JetBrains IDEs

In your IDE, navigate to the Problems tool window.
In the Problems tool window, click the Server-Side Analysis tab.
On the Server-Side Analysis tab, click the Try Locally button.
On the dialog that opens, expand the Advanced configuration section and specify the path to the baseline file, and then click Run.

CI/CD

This snippet contains the args: --baseline,qodana.sarif.json line that specifies the path to the SARIF-formatted baseline file:

    name: Qodana
    on:
      workflow_dispatch:
      pull_request:
      push:
        branches: # Specify your branches here
          - main # The 'main' branch
          - master # The 'master' branch
          - 'releases/*' # The release branches
    jobs:
      qodana:
        runs-on: ubuntu-latest
        permissions:
          contents: write
          pull-requests: write
          checks: write
        steps:
          - uses: actions/checkout@v3
            with:
              ref: ${{ github.event.pull_request.head.sha }}  # to check out the actual pull request commit, not the merge commit
              fetch-depth: 0  # a full history is required for pull request analysis
          - name: 'Qodana Scan'
            uses: JetBrains/qodana-action@v2024.1
            with:
              args: --baseline,qodana.sarif.json
            env:
              QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

The stages block contains the --baseline <path/to/qodana.sarif.json> line that specifies the path to the SARIF-formatted baseline file:

pipeline {
    environment {
        QODANA_TOKEN=credentials('qodana-token')
    }
    agent {
        docker {
            args '''
              -v "${WORKSPACE}":/data/project
              --entrypoint=""
              '''
            image 'jetbrains/qodana-python<-community>:2024.2-eap'
        }
    }
    stages {
        stage('Qodana') {
            steps {
                sh '''
                qodana \
                --baseline <path/to/qodana.sarif.json>
                '''
            }
        }
    }
}

You can use the --baseline <path/to/qodana.sarif.json> line in the script block to invoke the baseline feature.

qodana:
   image:
      name: jetbrains/qodana-python<-community>:2024.2-eap
      entrypoint: [""]
   cache:
      - key: qodana-2024.1-$CI_DEFAULT_BRANCH-$CI_COMMIT_REF_SLUG
        fallback_keys:
           - qodana-2024.1-$CI_DEFAULT_BRANCH-
           - qodana-2024.1-
        paths:
           - .qodana/cache
   variables:
      QODANA_TOKEN: $qodana_token           - 
   script:
      - qodana --baseline <path/to/qodana.sarif.json> --results-dir=$CI_PROJECT_DIR/.qodana/results
         --cache-dir=$CI_PROJECT_DIR/.qodana/cache
   artifacts:
      paths:
         - qodana/report/
      expose_as: 'Qodana report'

Using the Additional Qodana arguments field of the Qodana runner configuration, you can configure the baseline feature by adding the --baseline <path/to/qodana.sarif.json> option.

Command line

In these snippets, the --baseline option configures the path to the SARIF-formatted file containin a baseline:

            qodana scan \
               -v <path_to_baseline>:/data/base/ \
               -e QODANA_TOKEN="<cloud-project-token>" \
               -l jetbrains/qodana-python<-community>:2024.2-eap \
               --baseline /data/base/qodana.sarif.json
        

            docker run \
               -v <source-directory>/:/data/project/ \
               -v <path_to_baseline>:/data/base/ \
               -e QODANA_TOKEN="<cloud-project-token>" \
               jetbrains/qodana-python<-community>:2024.2-eap \
               --baseline /data/base/qodana.sarif.json
        

Enabling the quality gate

You can configure quality gates for the total number of project problems and specific problem severities in both linters, and code coverage thresholds available only in the Qodana for Python linter, by saving this snippet to the qodana.yaml file:

failureConditions:
  severityThresholds:
    any: 50 # Total number of problems in all severities
    critical: 1 # Severities
    high: 2
    moderate: 3
    low: 4
    info: 5
  testCoverageThresholds:
    fresh: 6 # Fresh code coverage
    total: 7 # Total percentage

Analyzing pull requests

CI/CD

On the Settings tab of the GitHub UI, create the QODANA_TOKEN encrypted secret and save the project token as its value.
On the Actions tab of the GitHub UI, set up a new workflow and create the .github/workflows/code_quality.yml file.
Add this snippet to the .github/workflows/code_quality.yml file:
name: Qodana on: workflow_dispatch: pull_request: push: branches: # Specify your branches here - main # The 'main' branch - 'releases/*' # The release branches jobs: qodana: runs-on: ubuntu-latest permissions: contents: write pull-requests: write checks: write steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis - name: 'Qodana Scan' uses: JetBrains/qodana-action@v2024.1 env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

In the root directory of your project, save the .gitlab-ci.yml file containing the following snippet:

            qodana:
   image:
      name: jetbrains/qodana-python<-community>:2024.2-eap
      entrypoint: [""]
   cache:
      - key: qodana-2024.1-$CI_DEFAULT_BRANCH-$CI_COMMIT_REF_SLUG
        fallback_keys:
           - qodana-2024.1-$CI_DEFAULT_BRANCH-
           - qodana-2024.1-
        paths:
           - .qodana/cache
   variables:
      QODANA_TOKEN: $qodana_token
    script:
      - >
        qodana --diff-start=$CI_MERGE_REQUEST_TARGET_BRANCH_SHA \
          --results-dir=$CI_PROJECT_DIR/.qodana/results \
          --cache-dir=$CI_PROJECT_DIR/.qodana/cache
   artifacts:
      paths:
         - .qodana/results
      expose_as: 'Qodana report'

Here, the --diff-start option specifies a hash of the commit that will act as a base for comparison.

Information about configuring TeamCity for analyzing pull and merge requests is available on the TeamCity documentation portal.

Command line

To analyze changes in your code, employ the --diff-start option and specify a hash of the commit that will act as a base for comparison:

    docker run \
       -v $(pwd):/data/project/ \
       -e QODANA_TOKEN="<cloud-project-token>" \
       jetbrains/qodana-python<-community>:2024.2-eap \
       --diff-start=<GIT_START_HASH>

Supported technologies and features

This table contains the list of technologies supported by both linters.

Programming languages	Python
Frameworks and libraries	Django Google App Engine Jupyter Pyramid
Databases and ORM	MongoDB MySQL Oracle PostgreSQL SQL SQL Server
Markup languages	CSS HTML JSON and JSON5 RELAX NG XML YAML
Scripting languages	Shell script

Here is the list of Qodana features supported per each linter.

Feature	Qodana Community for Python	Qodana for Python
Baseline	✔	✔
Quality gate	✔	✔
Code coverage		✔
License audit		✔
Quick-fix		✔
Vulnerability checker		✔

Last modified: 24 July 2024