# Parameters not settable in the UI
{% hint style="success" %}
To set your project's analysis parameters, see [configuration-overview](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/analysis-parameters/configuration-overview "mention").
{% endhint %}
## Introduction
The sections below list the analysis parameters by category. Mandatory parameters are indicated in the tables and concern only the first three categories:
* [#authentication-to-server](#authentication-to-server "mention")
* [#server-connection](#server-connection "mention")
* [#project-identification](#project-identification "mention")
The following default values are indicated for a parameter when applicable:
* **Default from build**: It indicates from which build system(s) the scanner can read a default value for the sonar property. The build property used as the default value is not indicated: see the corresponding scanner section for more information.
* **Default**: This value applies if the property was neither defined on the CI/CD host nor in the UI.
In addition, if the analysis parameter can be set through an environment variable, the variable name is indicated.
{% hint style="info" %}
Sonar property keys are case-sensitive.
{% endhint %}
{% hint style="info" %}
If you are using the SonarScanner for .NET, the prefix required to pass a property depends on how you invoke the scanner. See [#passing-properties](https://docs.sonarsource.com/sonarqube-cloud/scanners/sonarscanner-for-dotnet/using#passing-properties "mention") for details.
{% endhint %}
## Authentication to the server
| Property key | Description |
|---|
sonar.token | Token used by the scanner to authenticate to the SonarQube Cloud. The corresponding SonarQube Cloud user must have the Execute Analysis permission on the project. This parameter is mandatory. Environment variable: SONAR_TOKEN (not supported by SonarScanner for .NET) Notes: - From the Team plan, it's recommended to use Scoped Organization Tokens (SOT): see scoped-organization-tokens. Otherwise, see managing-tokens.
- This property replaces
sonar.login and sonar.password properties which are deprecated.
Recommendation: It is recommended not to write passwords or authentication tokens in files and not to pass them as parameters in the command line. |
## Server connection
The necessary setup varies based on the SonarScanner version being used, distinguishing between newer and older versions. Older SonarScanners include:
* SonarScanner CLI versions prior to 6.0
* SonarScanner for Maven versions prior to 5.0
* SonarScanner for Gradle versions prior to 6.0
* SonarScanner for .NET versions prior to 7.0
* SonarScanner for NPM versions prior to 4.0
{% tabs %}
{% tab title="Newer SonarScanner" %}
The setup is different whether you use the US instance or not. For more information about the US region, see [getting-started-in-us-region](https://docs.sonarsource.com/sonarqube-cloud/getting-started/getting-started-in-us-region "mention").
If you don’t use the SonarQube Cloud’s US instance, no server connection setup is necessary.
If you use the US instance, you must set the `sonar.region` property to `us` on the CI/CD host as described in the table below. In that case, make sure you use at least the following scanner version:
* SonarScanner for Maven: 5.1
* SonarScanner for Gradle: 6.1
* SonarScanner for .NET: 10.2
* SonarScanner for NPM: 4.3
* SonarScanner CLI: 7.1
* SonarScanner CLI Docker image: 11.3
* SonarQube Scan GitHub Action: 5.1.0
* SonarCloud Scan Bitbucket Pipe: 4.1
* Azure DevOps extension for SonarQube Cloud: 3.2
And if you use CircleCI with our Orb, use at least Orb version 3.0.
| Property key | Description |
|---|
sonar.region | The SonarQube Cloud instance’s region in which your project is hosted. This parameter is only mandatory if you want to use the US instance. Environment variable: SONAR_REGION (Not supported yet by SonarScanner for .NET). Possible values: - empty (default value): EU instance
us: US instance (the value is case-insensitive)
Notes: - If you do not specify this property or the corresponding environment variable, the scanner will look for your project in the SonarQube Cloud EU instance.
- For SonarScanner for .NET, the command line argument is
/d:sonar.region=us. - For CircleCI users (whether you use our Orb or the SonarScanner CLI directly in your CircleCI), we recommend that you add the
SONAR_REGION environment variable to your CircleCI context.
|
{% hint style="warning" %}
It's not recommended to set the `sonar.host.url` property if you have a newer scanner, even if you use the US instance.
{% endhint %}
{% endtab %}
{% tab title="Older SonarScanner" %}
| Property key | Description |
|---|
sonar.host.url | The URL of the SonarQube Cloud. Must be defined as https://sonarcloud.io. This parameter is mandatory for older scanners and should not be used for newer scanners. Environment variable: SONAR_HOST_URL Default value for older scanners: http://localhost:9000 |
{% endtab %}
{% endtabs %}
## Project identification
| Property key | Description |
|---|
sonar.projectKey | The project’s unique key. Can include up to 400 characters. All letters, digits, dash, underscore, periods, and colons are accepted. This parameter is mandatory. Default from build: |
sonar.organization | The key of the organization to which the project belongs. This parameter is mandatory. |
## Project information
| Property key | Description |
|---|
sonar.projectName | Name of the project that will be displayed on the web interface. Notes: - Is set in the UI if the project is manually created in SonarQube Cloud (cannot be changed in the UI).
- If passed in the command line, will only be read by the scanner if the command applies to the main branch.
- White space is allowed.
Default from build: Maven |
sonar.projectVersion | The project version. It should be set for long-lived branch analysis in case you use the new code definition based on the previous version. Note: Do not use your build number as the project version because this would prevent a correct application of the new code definition based on the previous project version since the build version usually changes much more often than the project release version. Default from build: |
## Analysis scope
Notice that some properties are not supported by SonarScanner for .NET.
| Property key | Description | Default |
|---|
sonar.sources | The initial analysis scope for main source code (non-test code) in the project. This property is not supported by the SonarScanner for .NET. Possible values: Comma-separated paths to directories are included. An individual file in the list means that the file is included. A directory in the list means that all analyzable files and directories recursively below it are included. The path can be relative (to the sonar.projectBaseDir property) or absolute. Wildcards (*, ** and ?) are not allowed. Default from build: | The value of the sonar.projectBaseDir property. |
sonar.tests | The initial analysis scope for test code in the project. This property is not supported by the SonarScanner for .NET. Possible values: See sonar.sources above. Note: If this property is not defined, no code will be analyzed as test code as there is no default value. Default from build: |
|
sonar.projectBaseDir | The project’s base directory. Use this property when you need the analysis to take place in a directory other than the one from which it was started. For example, the analysis starts from jenkins/jobs/myjob/workspace but the files to be analyzed are in ftpdrop/cobol/project1. Possible values: The path may be relative (to the directory from which the analysis was started) or absolute. Specify not the source directory, but some ancestor of the source directory. The value specified here becomes the new "analysis directory", and other paths are then specified as though the analysis were starting from that specified value. Note: The analysis process will need Write permissions in this directory; it is where the sonar.working.directory will be created by default. Default from build: | The directory from which the analysis was started. |
sonar.scm.exclusions.disabled | For supported SCMs, defines whether files ignored by the SCM, e.g., files listed in .gitignore, will be excluded from the analysis or not. Possible values: true: exclusion disablefalse: exclusion enabled
| false |
sonar.filesize.limit | Sets the limit in MB for files to be discarded from the analysis scope if the size is greater than specified. Note: The sonar.javascript.maxFileSize property (default: 1000 KB) discards JavaScript and TypeScript files from the analysis scope if the file size is greater than specified (This parameter can be set in the UI). | 20 |
## Duplication check
| Property key | Description | Default |
|---|
sonar.cpd.<language>.minimumTokens | Is used for non-Java projects to define the duplication check rule: a piece of code is considered duplicated if sonar.cpd.<language>.minimumTokens identical tokens are found across at least sonar.cpd.<language>.minimumLines lines of code. Note: For Java projects, a piece of code is considered duplicated when there is a series of at least 10 statements in a row, regardless of the number of tokens and lines. This threshold cannot be overridden. | 100 |
sonar.cpd.<language>.minimumLines | Is used for non-Java projects to define the duplication check rule: see above. | 10 |
## Analysis logging
| Property key | Description | Default |
|---|
sonar.log.level | Controls the quantity/level of logs produced during an analysis. Possible values: From least to most verbose: INFODEBUGTRACE: like DEBUG with possible additional information output by plugins or libraries used by the scanner.
| INFO |
sonar.verbose | Possible values: true: adds more details to the analysis logs by activating the DEBUG mode for the scanner.false
Note: There is the potential for this setting to expose sensitive information such as passwords if they are stored as server-side environment variables. | false |
sonar.scanner.metadataFilePath | Sets the location where the scanner writes the report-task.txt file containing among other things the ceTaskId. | The value of sonar.working.directory. |
## Quality gate
| Property key | Description | Default |
|---|
sonar.qualitygate.wait | Forces the analysis step to poll the server instance and wait for the Quality Gate status. This setting will fail the pipeline if the quality gate fails. Possible values: true or false | false |
sonar.qualitygate.timeout | The number of seconds that the scanner should wait for a report to be processed. | 300 |
## Test coverage
See the [test-coverage-parameters](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/test-coverage/test-coverage-parameters "mention") page.
## Import of external issues
The properties below are used to set up the import of issue reports in SonarQube format or in SARIF format. A path defined through these properties is either relative to the `sonar.projectBaseDir` property (which is by default the directory from which the analysis was started) or absolute.
For more information about the import of external issues, see [external-analyzer-reports](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/importing-external-issues/external-analyzer-reports "mention").
| Property key | Description |
|---|
sonar.externalIssuesReportPaths | Comma-delimited list of paths (directories or files) to generic issue reports1). |
sonar.sarifReportPaths | Comma-delimited list of paths (directories or files) to SARIF reports2). |
1\) See [generic-issue-data](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/importing-external-issues/generic-issue-data "mention")\
2\) See [importing-issues-from-sarif-reports](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports "mention")
## Links displayed in the UI
| Property key | Description |
|---|
sonar.links.ci | The URL of the continuous integration system used. The property is effective only for the main branch analysis. Default from build: Maven |
sonar.links.homepage | The URL of the build project home page. The property is effective only for the main branch analysis. Default from build: Maven |
sonar.links.issue | The URL to the issue tracker being used. The property is effective only for the main branch analysis. Default from build: Maven |
sonar.links.scm | The URL of the build project source code repository. The property is effective only for the main branch analysis. Default from build: Maven |
## **Dependency analysis (SCA)**
The following parameters influence the results of the [dependency analysis](https://docs.sonarsource.com/sonarqube-cloud/advanced-security/analyzing-projects-for-dependencies-sca).
| Parameter | Type | Default | Description |
| -------------------------------------- | ------- | --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `sonar.sca.enabled` | Boolean | true | Indicates whether to perform Software Composition Analysis (SCA) on this project. Set it to false to disable SCA for this project. |
| `sonar.sca.exclusions` | String |
| A comma-separated list of global patterns of paths to exclude as part of analysis.
For example, to ignore all manifests under the tests/ and fixtures/ directories, set:
sonar.sca.exclusions = "tests/, fixtures/"
|
| `sonar.sca.allowManifestFailures` | Boolean | true | When performing analysis, SonarQube attempts to run your build tools (such as Maven or Gradle) to create a full dependency graph.
By default, SonarQube does not fail the analysis if these tools fail, and returns information on a limited set of dependencies. Set this parameter to false to force a failure in this scenario.
|
| `sonar.sca.goNoResolve` | Boolean | false | Disables automatic generation of a Go lock file. This results in degraded dependency information. |
| `sonar.sca.mavenNoResolve` | Boolean | false | Disables automatic generation of a Maven lock file and dependency graph file.
This results in degraded dependency information.
|
| `sonar.sca.mavenForceDepPlugin` | Boolean | true | Ensures Maven Dependency Plugin is installed even when it’s not available in the environment. |
| `sonar.sca.mavenIgnoreWrapper` | Boolean | false | Disables a search for a Maven wrapper script `mvnw.` Set this to true if the default Maven wrapper in your `PATH` is not functioning. |
| `sonar.sca.mavenOptions` | String |
| Sends additional options to any Maven commands used to generate the lock file and dependency graph file. |
| `sonar.sca.gradleNoResolve` | Boolean | false | Disables automatic generation of a Gradle dependencies lock file. This results in degraded dependency information. |
| `sonar.sca.gradleConfigurationPattern` | String |
| Java regex of configurations to include. This is passed to gradle via `-PconfigurationPattern`. When unset, all configurations will be resolved. |
| `sonar.sca.pythonBinary` | String | /usr/bin/python | Path to a specific Python binary that should be used if lock files need to be generated. |
| `sonar.sca.pythonNoResolve` | Boolean | false | Disables automatic generation of a Python lock file. This results in degraded dependency information. |
| `sonar.sca.pythonResolveLocal` | Boolean | false | When generating a python lockfile, dependency resolution is done in a temporary virtual environment. Set this to true to skip creation of the virtual environment and resolve against the local python environment. |
| `sonar.sca.npmNoResolve` | Boolean | false | Disables automatic generation of a lock file for an NPM project when a supported lockfile (`yarn.lock`, `package-lock.json`, `pnpm-lock.yaml`, `bun.lock`) is not present. |
| `sonar.sca.npmEnableScripts` | Boolean | false | By default, when generating a lockfile, the `--ignore-scripts NPM/Yarn` option is passed to ignore any lifecycle scripts. If lifecycle scripts are needed to properly generate dependencies, enable this option. |
| `sonar.sca.nugetNoResolve` | Boolean | false | Disables automatic generation of a lock file for a Nuget project. |
| `sonar.sca.resolveAsRoot` | Boolean | false | By default, Sonar does not run dependency resolution commands as an admin, as installing packages could lead to compromise if a malicious package is specified.
While not recommended, you can set this to true if you have vetted your dependencies and need to resolve dependencies while running as an admin.
|
| `sonar.scanner.keepReport` | Boolean | false | Not specific to SCA. Keeps the scanner work directory after analysis, including the `dependency-files.tar.xz` that contains dependency files to analyze. Useful if you have access to [commercial support](https://www.sonarsource.com/support/), as the Sonar support team may ask for this file to assist with resolving issues. |
## JRE auto-provisioning
See also the Scanner's [general-requirements](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanners/scanner-environment/general-requirements "mention") page for information about JRE auto-provisioning.
JRE auto-provisioning is available only for these SonarScanners:
* SonarScanner CLI from v6.0
* SonarScanner for Maven from v5.0
* SonarScanner for Gradle from v6.0
* SonarScanner for .NET from v7.0
* SonarScanner for NPM from v4.0
Here are their parameters and environment variables:
| Property key | Description |
|---|
sonar.scanner.os | The operating system of the machine hosting the SonarScanner. Default: the autodetected value Environment variable: SONAR_SCANNER_OS Not supported by the SonarScanner for .NET. Possible values: windows, linux, macos, alpine. |
sonar.scanner.arch | The CPU architecture type. Environment variable: SONAR_SCANNER_ARCH Not supported by the SonarScanner for .NET. Default: the autodetected value Possible values: x64, aarch64. |
sonar.scanner.skipJreProvisioning | Defines whether the JRE auto-detection is disabled (true) or not (false). Environment variable: SONAR_SCANNER_SKIP_JRE_PROVISIONING Not supported by the SonarScanner for .NET. Default: false |
sonar.scanner.javaExePath | If defined, the SonarScanner will be run with this JRE. Environment variable: SONAR_SCANNER_JAVA_EXE_PATH Not supported by the SonarScanner for .NET. Default: The provisioned JRE, or use java from your PATH if sonar.scanner.skipJreProvisioning=true. |
## Timeout
| Property key | Description |
|---|
sonar.scanner.connectTimeout | The time period to establish connections with the server (in seconds). Default: 5 Supported by: SonarScanner CLI from v6.0, Maven from v5.0, Gradle from v6.0, .NET from v7.0, and NPM from v4.0. |
sonar.scanner.socketTimeout | The Maximum time of inactivity between two data packets when exchanging data with the server (in seconds). Default: 60 Supported by: SonarScanner CLI from v6.0, Maven from v5.0, Gradle from v6.0, .NET from v7.0, and NPM from v4.0. |
sonar.scanner.responseTimeout | The maximum time to wait for the response of a web service call (in seconds). Modifying this value from the default is useful only when you’re experiencing timeouts during analysis while waiting for the server to respond to web service calls. Default: 60 Supported by: SonarScanner CLI from v6.0, Maven from v5.0, Gradle from v6.0, .NET from v7.0, and NPM from v4.0. |
sonar.plugins.download.timeout | Maximum time to wait when downloading a plugin from SonarQube (in seconds). Default: 300 |
## Proxy
If the CI/CD host is behind a proxy, you’ll have to setup the connection to the proxy server by using the parameters below. These parameters are supported only by:
* SonarScanner CLI (from v6.0)
* SonarScanner for Maven (from v5.0)
* SonarScanner for Gradle (from v6.0)
* SonarScanner for NPM (from v4.0)
| Property key | Description |
|---|
sonar.scanner.proxyHost | The host name of the proxy server (mandatory). Example: mycompanyproxy.com Environment variable: SONAR_SCANNER_PROXY_HOST |
sonar.scanner.proxyPort | The port of the proxy server. Environment variable: SONAR_SCANNER_PROXY_PORT Default value: • If sonar.host.url starts with https: 443 • Otherwise: 80 |
sonar.scanner.proxyUser | In case of an authenticated proxy: the user name. Environment variable: SONAR_SCANNER_PROXY_USER |
sonar.scanner.proxyPassword | In case of an authenticated proxy: the user password. Environment variable: SONAR_SCANNER_PROXY_PASSWORD |
## Branch analysis
The following parameters relate to branch analysis and are, in the main cases, only required when using a non-integrated CI. For detailed information on their use, see the [branch-analysis-setup](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/branch-analysis/branch-analysis-setup "mention") page.
| Property key | Description |
|---|
sonar.branch.name | The name of the branch to be analyzed. |
sonar.branch.target | The name of: - If the branch to be analyzed is a long-lived branch: its reference branch.
- If the branch to be analyzed is a short-lived branch: its target branch.
|
## Pull request analysis
The following parameters relate to Pull request analysis and are only required for manual projects. For detailed information on their use, see [pull-request-analysis](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/pull-request-analysis "mention").
| Property key | Description | Default |
|---|
sonar.pullrequest.key | This property is the unique identifier of your Pull Request. Must correspond to the key of the Pull Request in your DevOps platform. Example: sonar.pullrequest.key=5 |
|
sonar.pullrequest.branch | This property is the name of the branch that contains the changes to be merged. Example: sonar.pullrequest.branch=feature/my-new-feature |
|
sonar.pullrequest.base | The branch into which the pull request will be merged (target branch). Example: sonar.pullrequest.base=main | main branch |
## Other parameters
| Property key | Description | Default |
|---|
sonar.scm.revision | Overrides the revision, for instance, the Git sha1, displayed in analysis results. Note: May be provided by the CI environment or guessed from the checked-out sources. |
|
sonar.buildString | The string passed with this property will be stored with the analysis and available in the results of api/project_analyses/search, thus allowing you to later identify a specific analysis and obtain its key for use with api/project_analyses/set_baseline on the SPECIFIC_ANALYSIS type. |
|
sonar.sourceEncoding | Encoding of the source files. For example, UTF-8, MacRoman, Shift_JIS. The list of available encodings depends on your JVM. Default from build: • Maven • Gradle | The system encoding |
sonar.working.directory | Path to the working directory used by the SonarScanner during a project analysis to store temporary data. This property is not compatible with the SonarScanner for .NET. The path can be relative (to the sonar.projectBaseDir property) or absolute. It must be unique for each project. Warning: The specified directory is deleted before each analysis. Default from build: • Maven • Gradle | .scannerwork |
sonar.scm.forceReloadAll | By default, blame information is only retrieved for changed files. Set this property to true to load blame information for all files, which may significantly increase analysis duration. This can be useful if you feel that some SCM data is outdated but SonarQube does not get the latest information from the SCM engine and this analysis parameter should not be a permanent part of your analysis configuration. | false |
sonar.analysis.<key>=<value> | This property stub allows you to insert custom key/value pairs into the analysis context, which will also be passed forward to webhooks1). Example: sonar.analysis.buildNumber=12345 Note: Depending on the environment, using this property in the command line may not work. |
|
sonar.userHome | The base directory for various locations, such as the user cache. Environment variable: SONAR_USER_HOME | ~/.sonar |
sonar.scanner.javaOpts | Since SonarScanner CLI 6.0.0, the scanner engine will be started as a separate Java process. This property is used to pass arguments to the JVM running the forked scanner engine process. Can be used only with the SonarScanner CLI (from v6.0), SonarScanner for Maven (from v5.0), Gradle (from v6.0) and NPM (from v4.0). Examples: SONAR_SCANNER_JAVA_OPTS="-Xmx4g"
Or SONAR_SCANNER_JAVA_OPTS="-Xmx512m"
Environment variable: SONAR_SCANNER_JAVA_OPTS |
|
1\) See [webhooks](https://docs.sonarsource.com/sonarqube-cloud/discovering-sonarcloud/integrations/webhooks "mention")
## Deprecated parameters
{% hint style="warning" %}
These parameters are listed for completeness, but are deprecated and should not be used in new analyses. They will be removed in the future. A user warning appears on the project interface if you activate this parameter.
{% endhint %}
* `sonar.login`
* `sonar.projectDate`
* `http.proxyHost` or `https.proxyHost`
* `http.proxyPort`
* `http.proxyUser`
* `http.proxyPassword`
* `sonar.ws.timeout`
* `sonar.scanner.dumpToFile` - the name has changed. For more information, see [#debugging-analysis](https://docs.sonarsource.com/sonarqube-cloud/appendices/troubleshooting#debugging-analysis "mention").
## Related pages
* [configuration-overview](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/analysis-parameters/configuration-overview "mention")
* [getting-started-in-us-region](https://docs.sonarsource.com/sonarqube-cloud/getting-started/getting-started-in-us-region "mention")