Start FreeLog in
SonarCloud | Advanced setup | Analysis parameters

Was this page helpful?

Analysis parameters

On this page

Setting configuration in the SonarCloud UI Setting configuration in a file Setting configuration on the command line Settings stored in database Mandatory parameters Optional Parameters

Most project analysis settings can be configured in three different places: in the UI, in a configuration file, or on the command line. In most cases, the descriptions of those properties and the best place to set them is in the UI when possible. Only parameters set through the UI are reusable for subsequent analysis and there is a structure to the way parameters are read by the scanner.

Diagram showing settings hierarchy.


Setting configuration in the SonarCloud UI

Many analysis parameters can be configured in the SonarCloud UI itself. These can be found under Your Organization > Your Project > Administration > General Settings.

Setting configuration in a file

Analysis parameters can also be set in a configuration file within your project. The file used depends on your setup:

Setting configuration on the command line

For CI-based analysis (not automatic analysis), parameters can also be set on the command line using the -D option indicator when launching an analysis. This can be done with the standalone command-line tool sonar-scanner, as well as with any of the build-tool-specific variants like SonarScanner for Maven and SonarScanner for Gradle.

Settings stored in database

Only parameters set through the UI are stored in the database. For example, if you override the sonar.exclusions parameter via the command line for a specific project, it will not be stored in the database. Subsequent analyses, or analyses in SonarLint with Connected Mode, would still be executed with the exclusions defined in the UI and therefore stored in the database.

Most of the property keys shown in the UI at both global and project levels can also be set as analysis parameters, but the parameters listed below can only be set at analysis time.

For language-specific parameters related to test coverage and execution, see the documentation on Test coverage. For language-specific parameters related to external issue reports, see the page about External analyzer reports.

Mandatory parameters

This section lists analysis parameters (sonar properties) that, during a project analysis, cannot be set in the UI and are mandatory. It means that they must be set on the CI/CD host. The following default values are indicated for a parameter when applicable:

  • Default from build: It indicates from which build system(s) the scanner can read a default value for the sonar property. The build property used as the default value is not indicated: see the corresponding scanner section for more information.
  • Default: This value applies if the property was neither defined on the CI/CD host nor in the UI. 

In addition, if the analysis parameter can be set through an environment variable, the variable name is indicated.

Authentication to the server

Property keyEnvironment variableDescription
sonar.tokenSONAR_TOKEN (not supported by SonarScanner for .NET)

Token used by the scanner to authenticate to the SonarCloud server. The corresponding SonarCloud user must have the Execute Analysis permission on the project. 

Notes: Replaces sonar.login and sonar.password properties which are deprecated.

Recommendation: It is recommended not to write passwords or authentication tokens in files and not to pass them as parameters in the command line.

Server connection

Property keyEnvironment variableDescriptionDefault
sonar.host.urlSONAR_HOST_URLThe URL of the SonarCloud server. No need to define when using SonarCloud with the SonarScanners CLI from v6.0, .NET from v7.0, and NPM from v4.0.https://sonarcloud.io

Project identification

Property keyDescriptionDefault from build
sonar.projectKeyThe project's unique key. Can include up to 400 characters. All letters, digits, dash, underscore, periods, and colons are accepted.
  • Maven
  • Gradle
sonar.organizationThe key of the organization to which the project belongs

Optional Parameters

This section lists analysis parameters (sonar properties) that, during a project analysis, cannot be set in the UI (or, like the sonar.projectName, cannot be changed in the UI) and are optional. It means that they can only be set on the CI/CD host. The following default values are indicated for a parameter when applicable:

  • Default from build: It indicates from which build system(s) the scanner can read a default value for the sonar property. The build property used as the default value is not indicated: see the corresponding scanner section for more information.
  • Default: This value applies if the property was neither defined on the CI/CD host nor in the UI. 

In addition, if the analysis parameter can be set through an environment variable, the variable name is indicated.

Project information

Property keyDescriptionDefault from build
sonar.projectName

Name of the project that will be displayed on the web interface.

Notes

  • Is set in the UI if the project is manually created in SonarCloud (cannot be changed in the UI).
  • If passed in the command line, will only be read by the scanner if the command applies to the main branch. 
  • White space is allowed.
Maven 
sonar.projectVersion

The project version. Is mandatory in case you use the new code definition based on the previous version.

Note: Do not use your build number as the project version because:

  • This would overload the SonarQube database (Houskeeping would not apply to the analysis snapshots because they would be marked by the project version change event).
  • This would prevent a correct application of the new code definition based on the previous project version since the build version usually changes much more often than the project release version.
  • Maven
  • Gradle

Analysis scope

See also Analysis scope.

Property keyDescriptionDefault from buildDefault
sonar.sources

The analysis baseline for main source code (non-test code) in the project. 

Possible values: Comma-separated paths to directories are included. An individual file in the list means that the file is included. A directory in the list means that all analyzable files and directories recursively below it are included. The path can be relative (to the sonar.projectBaseDir property) or absolute. Wildcards (*, ** and ?) are not allowed.

  • Maven
  • Gradle
  • .NET
The value of the sonar.projectBaseDir property.
sonar.tests

The analysis baseline for test code in the project. 

Possible values: See sonar.sources above.

Note: If this property is not defined, no code will be analyzed as test code as there is no default value.

  • Maven
  • Gradle
  • .NET

sonar.projectBaseDir

The project’s base directory. Use this property when you need the analysis to take place in a directory other than the one from which it was started. For example, the analysis starts from jenkins/jobs/myjob/workspacebut the files to be analyzed are in ftpdrop/cobol/project1

Possible values: The path may be relative (to the directory from which the analysis was started) or absolute. Specify not the source directory, but some ancestor of the source directory. The value specified here becomes the new "analysis directory", and other paths are then specified as though the analysis were starting from that specified value. 

Note: The analysis process will need Write permissions in this directory; it is where the sonar.working.directory will be created by default.

  • Maven
  • Gradle
  • .NET
The directory from which the analysis was started.
sonar.scm.exclusions.disabled

For supported SCMs, defines whether files ignored by the SCM, e.g., files listed in .gitignore, will be excluded from the analysis or not. 

Possible values

  • true: exclusion disable
  • false: exclusion enabled

false
sonar.filesize.limit

Sets the limit in MB for files to be discarded from the analysis scope if the size is greater than specified.

Note: The sonar.javascript.maxFileSize property (default: 1000 KB) discards JavaScript and TypeScript files from the analysis scope if the file size is greater than specified (This parameter can be set in the UI).


20

Duplication check

Property keyDescriptionDefault
sonar.cpd.<language>.minimumtokens

Is used for non-Java projects to define the duplication check rule: a piece of code is considered duplicated if sonar.cpd.<language>.minimumtokens identical tokens are found across at least sonar.cpd.<language>.minimumLines lines of code.

Note: For Java projects, a piece of code is considered duplicated when there is a series of at least 10 statements in a row, regardless of the number of tokens and lines. This threshold cannot be overridden.

100
sonar.cpd.<language>.minimumLinesIs used for non-Java projects to define the duplication check rule: see above.10

Analysis logging

Property keyDescriptionDefault
sonar.log.level

Controls the quantity/level of logs produced during an analysis. 

Possible values: From least to most verbose: 

  • INFO
  • DEBUG
  • TRACE: like DEBUG with possible additional information output by plugins or libraries used by the scanner.
INFO
sonar.verbose

Possible values:

  • true: adds more details to the analysis logs by activating the DEBUG mode for the scanner.
  • false

Note: There is the potential for this setting to expose sensitive information such as passwords if they are stored as server-side environment variables.

false
sonar.scanner.dumpToFile

Outputs to the specified file the full list of properties passed to the scanner API as a means to debug analysis. The equivalent output is available in Your Project >  Project Settings > Background Tasks > 3-dots menu > Show SonarScanner Context.

Possible values: path to the output file name

Note: If the analysis report fails, the list is not generated and there won't be anything available on the server.


sonar.scanner.metadataFilePathSets the location where the scanner writes the report-task.txt file containing among other things the ceTaskId.The value of sonar.working.directory.

Quality gate

Property keyDescriptionDefault
sonar.qualitygate.wait

Forces the analysis step to poll the server instance and wait for the Quality Gate status. If there are no other options, you can use this to fail a pipeline build when the Quality Gate is failing. 

Possible values: true or false

false
sonar.qualitygate.timeoutThe number of seconds that the scanner should wait for a report to be processed.300

Import of external issues

Property keyDescription
sonar.externalIssuesReportPathsComma-delimited list of paths to generic issue reports. See the full list on the External Analyzer Reports page.
Property keyDescriptionDefault from build
sonar.links.ciThe URL of the continuous integration system used.Maven
sonar.links.homepageThe URL of the build project home page.Maven
sonar.links.issueThe URL to the issue tracker being used.Maven
sonar.links.scmThe URL of the build project source code repository.Maven

JRE auto-provisioning

See also JRE auto-provisioning.

JRE auto-provisioning is available only for these SonarScanners:

  • SonarScanner CLI from v6.0
  • SonarScanner for .NET from v7.0
  • SonarScanner for NPM from v4.0

Here are their parameters and environment variables:

Property key

Environment variable

Description

sonar.scanner.osSONAR_SCANNER_OS

The operating system of the machine hosting the SonarScanner. 

Default: the autodetected value

Possible values: windows, linux, macos, alpine.

sonar.scanner.archSONAR_SCANNER_ARCH

The CPU architecture type.

Default: the autodetected value

Possible values: x64, aarch64.

sonar.scanner.skipJreProvisioningSONAR_SCANNER_SKIP_JRE_PROVISIONING

Defines whether the JRE auto-detection is disabled (true) or not (false).

Default: false

sonar.scanner.javaExePathSONAR_SCANNER_JAVA_EXE_PATH

If defined, the SonarScanner will be run with this JRE.

Default: The provisioned JRE, or use java from your PATH if sonar.scanner.skipJreProvisioning=true.

Timeout

Property key

Description

sonar.scanner.connectTimeout

The time period to establish connections with the server (in seconds).

Default: 5

Supported by: SonarScanner CLI from v6.0, .NET from v7.0, and NPM from v4.0.

sonar.scanner.socketTimeout

The Maximum time of inactivity between two data packets when exchanging data with the server (in seconds).

Default: 60

Supported by: SonarScanner CLI from v6.0, .NET from v7.0, and NPM from v4.0.

sonar.scanner.responseTimeout

The maximum time to wait for the response of a web service call (in seconds). Modifying this value from the default is useful only when you're experiencing timeouts during analysis while waiting for the server to respond to web service calls.

Default: 60

Supported by: SonarScanner CLI from v6.0, .NET from v7.0, and NPM from v4.0.

sonar.ws.timeout

Same as the sonar.scanner.responseTimeout.

Default: 60

Proxy

If the CI/CD host is behind a proxy, you’ll have to setup the connection to the proxy server by using the parameters below.

Property keyEnvironment variableDescriptionDefaultSupported only by SonarScanner CLI (from v6.0) and NPM (from v4.0)
sonar.scanner.proxyHostSONAR_SCANNER_PROXY_HOST

The host name of the proxy server (mandatory).

Example: mycompanyproxy.com


x
sonar.scanner.proxyPortSONAR_SCANNER_PROXY_PORTThe port of the proxy server.
  • If sonar.host.url starts with https: 443
  • Otherwise: 80
x
sonar.scanner.proxyUserSONAR_SCANNER_PROXY_USERIn case of an authenticated proxy: the user name.
x
sonar.scanner.proxyPasswordSONAR_SCANNER_PROXY_PASSWORDIn case of an authenticated proxy: the user password.
x
http.proxyHost or https.proxyHost
Same as sonar.scanner.proxy.

http.proxyPort 
Same as sonar.scanner.proxyport

http.proxyUser
Same as sonar.scanner.proxyUser

http.proxyPassword
Same as sonar.scanner.proxyPassword

Branch analysis

The following parameters relate to branch analysis and are, in the main cases, only required when using a non-integrated CI. For detailed information on their use, see Branch analysis.

Property keyDescription
sonar.branch.nameThe name of the branch to be analyzed.
sonar.branch.targetThe name of the target branch of the branch to be analyzed.

Pull request analysis

The following parameters relate to Pull request analysis and are only required for manual projects. For detailed information on their use, see Pull request analysis.

Property keyDescriptionDefault
sonar.pullrequest.key

This property is the unique identifier of your Pull Request. Must correspond to the key of the Pull Request in your DevOps platform.

Example: sonar.pullrequest.key=5


sonar.pullrequest.branch

This property is the name of the branch that contains the changes to be merged.

Example: sonar.pullrequest.branch=feature/my-new-feature


sonar.pullrequest.base

This property is the unique identifier of your Pull Request. Must correspond to the key of the Pull Request in your DevOps platform.

Example: sonar.pullrequest.base=main

main branch

Other parameters

Property keyEnvironment variableDescriptionDefault from buildDefault
sonar.scm.revision

Overrides the revision, for instance, the Git sha1, displayed in analysis results.

Note: May be provided by the CI environment or guessed from the checked-out sources.



sonar.buildString
The string passed with this property will be stored with the analysis and available in the results of api/project_analyses/search, thus allowing you to later identify a specific analysis and obtain its ID for use with api/project_analyses/set_baseline.

sonar.sourceEncoding
Encoding of the source files. For example, UTF-8, MacRoman, Shift_JIS. The list of available encodings depends on your JVM. 
  • Maven
  • Gradle
The system encoding
sonar.working.directory

Path to the working directory used by the Sonar scanner during a project analysis to store temporary data. This property is not compatible with the SonarScanner for .NET. 

The path can be relative (to thesonar.projectBaseDir property) or absolute. It must be unique for each project.

Warning: The specified directory is deleted before each analysis.

  • Maven
  • Gradle
.sonar
sonar.scm.forceReloadAll
By default, blame information is only retrieved for changed files. Set this property to true to load blame information for all files, which may significantly increase analysis duration. This can be useful if you feel that some SCM data is outdated but SonarCloud does not get the latest information from the SCM engine and this analysis parameter should not be a permanent part of your analysis configuration.
false
sonar.analysis.<key>=<value>

This property stub allows you to insert custom key/value pairs into the analysis context, which will also be passed forward to webhooks.

Example: sonar.analysis.buildNumber=12345

Note: Depending on the environment, using this property in the command line may not work.



sonar.userHomeSONAR_USER_HOMEThe base directory for various locations, such as the user cache. It must be located inside the user home directory.
~/.sonar
sonar.scanner.javaOptsSONAR_SCANNER_JAVA_OPTS

Since SonarScanner CLI 6.0.0, the scanner engine will be started as a separate Java process. This property is used to pass arguments to the JVM running the forked scanner engine process.

Can be used only with the SonarScanner CLI (from v6.0) and the SonarScanner for NPM (from v4.0).

Examples: 

SONAR_SCANNER_JAVA_OPTS=”-Xmx4g"

Or 

SONAR_SCANNER_JAVA_OPTS=”-Xmx512m”



Deprecated parameters

  • sonar.login
  • sonar.password
  • sonar.projectDate

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License