External analyzer reports

Many languages have dedicated analyzers (also known as linters) that are commonly used to spot problems in code. SonarQube can integrate the results from many of these external analyzers. This lets you see this information alongside the other SonarQube metrics and allows the external results to be taken into account when calculating quality gate status.

The sections below explain, for each language, how to set up, for your project, the import of issue reports generated by external analyzers that integrate with SonarQube. To do so, you must define in SonarQube the paths to the import files. This can be done in the UI (except for the C family and Go analyzers) or by defining an analysis parameter on the CI/CD host.

See also Analysis parameters.

Limitations

External analyzer report integration is only available for CI-based analysis. It is not available for automatic analysis.

The external issues will be taken into account by SonarQube in the analysis report and users will be able to resolve an external issue the same way as an internal issue.

But external issues have an important limitation. The activation of the rules that raise these issues cannot be managed within SonarQube. External rules are not visible on the Rules page or reflected in any quality profile.

List of supported analyzers

The table below lists the third-party analyzers that integrate with SonarQube Cloud.

Ansible

You can integrate the following Ansible analyzer with SonarQube: ansible-lint.

To setup the import of issues generated by ansible-lint:

1. Set up the generation of the reports by ansible-lint in SARIF format and their storing in dedicated import directory(ies). To do so, use the --sarif-file ansible-lint option.

2. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > Ansible.

   3. In Android Lint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute. You can use path-matching patterns (see Defining matching patterns #Defining matching patterns for files).

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.ansible.ansible-lint.reportPaths .

Apex

You can integrate the following Apex analyzer with SonarQube: PMD. Note that the format of PMD reports generated by sfdx-scanner does not seem to perfectly match the format used by PMD.

To setup the import of issues generated by PMD:

1. Set up the generation of the reports by PMD and their storing in dedicated import directory(ies).

2. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > Apex.

   3. In PMD Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.apex.pmd.reportPaths .

CloudFormation

You can integrate the following Cloudformation analyzer with SonarQube: AWS CloudFormation Linter.

To setup the import of issues generated by AWS CloudFormation Linter:

1. Set up the generation of the reports by AWS CloudFormation Linter in JSON format and their storing in a dedicated import directory(ies).

2. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > CloudFormation.

   3. In Cfn-Lint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.cloudformation.cfn-lint.reportPaths .

C/C++/Objective-C

You can integrate the following C/C++/Objective-C analyzers with SonarQube: Valgrind Memcheck and Valgrind Helgrind.

To setup the import of issues generated by Valgrind Memcheck or Helgrind:

1. Set up the generation of the reports by Valgrind Memcheck or Helgrind in XML format and their storing in dedicated import directory(ies). To do so, use the Valgrind's XML output facility (--xml=yes).

2. Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.cfamily.valgrind.reportsPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

C#

Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.

CSS

You can integrate the following CSS analyzer with SonarQube: Stylelint.

To setup the import of issues generated by Stylelint:

1. Set up the generation of the reports by Stylelint and their storing in dedicated import directory(ies). Command example:

stylelint src/*.css --config stylelintconfig.json -f json > stylelint-report.json

1. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > CSS.

   3. In Stylelint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.css.stylelint.reportPaths.

Docker

You can integrate the following Docker analyzers with SonarQube: Hadolint.

To setup the import of issues generated by Hadolint:

1. Set up the generation of the reports by Hadolint in JSON or SonarQube format, and their storing in dedicated import directory(ies).

2. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > Docker.

   3. In Hadolint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.docker.hadolint.reportPaths .

Go

You can integrate the following Go analyzers with SonarQube: Govet, GoLint, GoMetaLinter, golanci-lint, and gosec.

go vet 2> govet-report.out

golint > golint-report.out

gometalinter > gometalinter-report.out

Java

You can integrate the following Java analyzers with SonarQube: SpotBugs, FindSecBugs, FindBugs, PMD, and Checkstyle. The setup differs depending on whether you use Maven or not.

<plugin>
<groupId>org.apache.maven.plugins</groupId>
   <artifactId>maven-pmd-plugin</artifactId>
   <version> 3.10 . 0 </version>
</plugin>
<plugin>
   <groupId>com.github.spotbugs</groupId>
   <artifactId>spotbugs-maven-plugin</artifactId>
   <version> 3.1 . 1 </version>
   <configuration>
     <effort>Max</effort>
     <threshold>Low</threshold>
     <failOnError> true </failOnError>
     <includeFilterFile>${session.executionRootDirectory}/spotbugs-include.xml</includeFilterFile>
     <plugins>
       <plugin>
         <groupId>com.h3xstream.findsecbugs</groupId>
         <artifactId>findsecbugs-plugin</artifactId>
         <version>LATEST</version> <!-- Auto-update to the latest stable -->
       </plugin>
     </plugins>
   </configuration>
</plugin>

<properties>
<sonar.java.spotbugs.reportPaths>./target/spotbugsXml.xml</sonar.java.spotbugs.reportPaths>
  <sonar.java.pmd.reportPaths>./target/pmd.xml</sonar.java.pmd.reportPaths>`
  <sonar.java.checkstyle.reportPaths>./target/checkstyle-result.xml</sonar.java.checkstyle.reportPaths>
</properties>

mvn clean package spotbugs:spotbugs pmd:pmd checkstyle:checkstyle sonar:sonar

JavaScript/TypeScript

ou can integrate the following JavaScript/TypeScript analyzer with SonarQube: ESLint.

To setup the import of issues generated by ESLint:

1. Set up the generation of the reports by ESLint in JSON format, and their storing in dedicated import directory(ies). Command example:

eslint ./ -f json > eslint-report.json

1. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > JavaScript/TypeScript.

   3. In ESLint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.eslint.reportPaths.

Kotlin

You can integrate the following Kotlin analyzers with SonarQube: AndroidLint, Detekt, and Ktlint.

gradle lint or $ANDROID_HOME/tools/bin/lint --xml lint-results.xml path/to/project 

java -jar path/to/detekt-cli-1.0.0.RC7-3-all.jar -i path/to/project -o path/to/report-directory 

PHP

You can integrate the following PHP analyzers with SonarQube: Psalm and PHPStan.

Python

You can integrate the following Python analyzers with SonarQube: Pylint, Bandit, Flake8, Mypy, and Ruff.

pylint <module_or_package> -r n  --output-format=parseable --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > <report_file> 

bandit --format json --output bandit-report.json --recursive /path/to/your/python/project

Ruby

You can integrate the following Ruby analyzer with SonarQube: Rubocop.

To setup the import of issues generated by Rubocop:

1. Set up the generation of the reports by Rubocop, and their storing in dedicated import directory(ies). Command example:

rubocop --format json --out rubocop-report.json

1. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > Ruby.

   3. In RuboCop Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.ruby.rubocop.reportPaths.

Scala

You can integrate the following Scala analyzers with SonarQube: Scalastyle and Scapegoat.

To setup the import of issues generated by Scalastyle or Scapegoat:

1. Set up the generation of the reports in the Scalastyle format for both Scalastyle and Scapegoat. Setup also the storing of the generated report files in dedicated import directory(ies).

2. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > Scala.

   3. In the corresponding field (Scalastyle Report Files or Scapegoat Report Files), enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the corresponding analysis parameter:

   • For Scalastyle : sonar.scala.scalastyle.reportPaths.

   • For Scapegoat: sonar.scala.scapegoat.reportPaths.

Swift

You can integrate the following Swift analyzer with SonarQube: Swiftlint.

To setup the import of issues generated by Swiftlint:

1. Set up the generation of the reports by Swiftlint in JSON format, and their storing in dedicated import directory(ies). Command example:

swiftlint lint --reporter json > swiftlint.json

1. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > Swift.

   3. In SwiftLint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.swift.swiftLint.reportPaths.

Terraform

You can integrate the following Terraform analyzer with SonarQube: TFLint.

To setup the import of issues generated by TFLint:

1. Set up the generation of the reports by TFLint, and their storing in dedicated import directory(ies).

2. Set up the import of the generated report files by SonarQube Cloud:

   1. Retrieve your SonarQube Cloud project. For more details, see Retrieving projects.

   2. Go to Administration > General Settings > External Analyzers > Terraform.

   3. In TFLint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

   4. Save.

   Alternatively, define on the CI/CD host the analysis parameter sonar.terraform.tflint.reportPaths.

VB.NET

Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.