Concepts
This page presents essential analysis concepts you will encounter while analyzing your code with SonarQube Cloud.
Automatic vs CI-based analysis
When setting up a new project, the first choice you will have to make is between automatic analysis and CI-based analysis.
With automatic analysis, SonarQube Cloud analyzes your code simply by reading it from your repository, without the need to configure a CI-based analysis.
With the CI-based method, the analysis takes place in your build environment. It is done by a separate tool, called a scanner, that is run in your build environment. The results of the analysis are then sent to the SonarQube Cloud server, processed and displayed in the SonarQube Cloud web interface.
If your project is eligible and you don’t require any of the unsupported features, automatic analysis is the recommended method to use.
See the Automatic analysis and Overview of integrated CIs pages for more information.
Keeping the focus on new code
SonarQube Cloud is designed with two principles in mind:
Prevent issues from being introduced in the first place.
When issues are introduced, catch them as early as possible.
To achieve this, SonarQube Cloud integrates into your daily development workflow at multiple points, so that analysis results surface every time you make changes and not as a separate, periodic task.
SonarQube Cloud provides three layers of defense:
In your IDE: Catch issues before you push using SonarQube for IDE.
On your pull request: Catch issues before they reach the main branch.
On your main branch: Catch anything that slipped through.
The goal is to make code quality part of normal, feature-driven development work.
Catching issues with SonarQube for IDE
SonarQube for IDE is your first line of defense against code quality and security issues. It can catch issues in your code right in your IDE, before you even push changes to your repository, using the SonarQube for IDE extension.
SonarQube for IDE is available for:
JetBrains IDEs, including IntelliJ IDEA, CLion, and others
VS Code, including Cursor, Windsurf and more.
The automated code review in SonarQube for IDE works like a spell checker, highlighting issues in your code as you type. When an issue is identified, SonarQube for IDE provides you with clear remediation guidance so you can fix it right away. In many cases, it also provides a quick fix that can automatically fix the issue for you.
You can also connect SonarQube for IDE to your SonarQube Cloud project. This allows SonarQube for IDE to leverage your team’s quality profiles, synchronize other analysis settings and alert you to analysis results that appear at later stages in the dev cycle.
For more information, see SonarQube for IDE.
Pull request analysis
A pull request code review and analysis is your second line of defense against code quality and security issues after SonarQube for IDE. Issues that SonarQube for IDE cannot detect are detected by pull request analysis before they are merged into the main branch.
When you open a pull request (or, in GitLab, a merge request) SonarQube Cloud will automatically analyze all (and only) the changes introduced by that pull request. The result is reported both in the pull request view of the SonarQube Cloud interface and in your DevOps platform (GitHub, Bitbucket Cloud, Azure DevOps, or GitLab), as a pull request decoration. On every subsequent push to the pull request branch, the analysis is run again.
Each pull request analysis result displays Quality gates. The quality gate applies only to the actual code that was changed in the pull request. It can be set to prevent the merging of the pull request branch into its target branch if the analysis results do not meet your requirements.
For more information, see the Pull request analysis page.
Main branch analysis
A main branch code review and analysis is your third line of defense against code quality and security issues, after SonarQube for IDE and pull request analysis. Issues that neither SonarQube for IDE nor pull request analysis can detect are detected by main branch analysis.
Every time you make a change to the main branch of your project SonarQube Cloud will automatically analyze all the code in the current state of the main branch.
The main branch results display Quality gates. The quality gate applies to all the code in the main branch. For more information, see Main branch analysis.
Scanners
A scanner is the tool that runs the actual code analysis. It inspects your source code, applies the rules from your quality profile, and sends the results to SonarQube Cloud.
SonarQube Cloud provides dedicated scanners for common build systems and languages — including .NET, Maven, Gradle, NPM, and Python — as well as a general-purpose SonarScanner CLI for everything else. See the Scanners pages for more information.
Languages
SonarQube Cloud supports a wide range of languages. See the full list on the Supported languages page. To find the supported versions and language-specific configuration information, search the page list on the Languages page.
Analysis parameters
Analysis parameters allow you to control many details of how an analysis is performed.
See the Analysis parameters page for more information.
Incremental analysis
SonarQube Cloud uses incremental analysis mechanisms to keep analysis times fast by only re-analysing code that has changed since the last scan.
See the Incremental analysis mechanisms page for more information.
Enriching your analysis
The above sections describe the core features of SonarQube Cloud and how they can improve the quality and security of your code by identifying issues early in the development cycle. The following features allow you to enrich your code review and analysis results with additional insights.
Test coverage, external analyzers, and branch analysis are only available in projects that use CI-based analysis. They are unavailable in projects that use automatic analysis.
Test coverage
Checking the test coverage of your code with coverage reporting tools is an essential part of the development process.
SonarQube Cloud lets you set up the automatic importing of test coverage reports produced by your language-specific tools and integrate the results into the SonarQube Cloud analysis results.
By setting up this integration you bring an important additional metric into the mix of your SonarQube Cloud results allowing coverage to be taken into account when calculating quality gates.
To set up test coverage import you need to first set up the test coverage reporting tool for your project. This depends largely on the language that you are using. Once this tool is set up to run on every build, you can configure SonarQube Cloud to import that report and integrate it into the analysis.
For details, see Overview and Generic test data.
Importing external issues
In addition to importing coverage reports, SonarQube Cloud can also import reports from external analysis tools such as linters. Importing these reports allows SonarQube Cloud to integrate them into the analysis results, providing you with more insight into the state of your code.
To set up import from external analyzers you need to first set up the external reporting tool for your project. This depends largely on the language and other build tools that you are using. Once this is set up to run on every build, you can configure SonarQube Cloud to import the external analysis report and integrate it into the analysis.
For fore information, see Importing external issues.
Branch analysis
So far we have seen that SonarQube Cloud performs code review and analysis on the main branch of your project and individual pull requests.
But, SonarQube Cloud can also provide analysis of other branches in your repository that are neither the main (that is, default) branch nor pull request branches. This feature can be used if:
Your project has long-living branches other than the main branch that you want to analyze. For example, a development branch or maintenance branches for older versions.
Your project use short-lived branches (for example, "feature" branches) to introduce changes to your main branch but you do not use them with a pull request mechanism in a supported CI.
If your project has either of these characteristics, configuring branch analysis will let you have the full benefit of SonarQube Cloud analysis.
For details, see Branch analysis and Branch analysis setup.
For more information on activating and Deactivating automatic analysis automatic analysis, see Automatic analysis.
For information on Ci-based analysis, see Overview of integrated CIs.
Working with AI agents
SonarQube Cloud includes features designed to integrate with AI coding agents. These features form part of the SonarQube Agentic Workflow, which guides AI agents to generate better code and verifies the result.
See the Agentic Analysis and Context Augmentation pages for more information.
Last updated
Was this helpful?