# SonarScanner for Maven
SonarScanner for Maven — 5.5.0.6356 | Issue Tracker
**5.5.0.6356** **2025-12-05**\ Release after change of signing key\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.5\&selectedIssue=SCANMAVEN-339)
***
**5.4.0.6343** **2025-12-02**\ Release after change of signing key\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.4\&selectedIssue=SCANMAVEN-338)
***
**5.3.0.6276** **2025-11-10**\ Support of Maven 4\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.3)
***
**5.2.0.4988** **2025-08-29**\ Index .github folder for analysis\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.2)
***
**5.1.0.4751** **2025-03-25**\ Support sonar.region\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.1)
***
**5.0.0.4389** **2024-11-06**\ Automatic JRE provisioning\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%205.0)
***
**4.0.1.6619** **2026-03-09**\ Nudge users into versioning the scanner in their configuration\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues?jql=project%20%3D%20SCANMAVEN%20AND%20fixversion%20%3D%204.0.1)
***
**4.0.0.4121** **2024-05-31**\ Drop support of Java 8 runtime\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixversion%20%3D%204.0)
***
**3.11.0.3922** **2024-03-13**\ Collects files outside of conventional sonar.sources (aka scan more files)\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixVersion%20%3D%2014294)
***
**3.10.0.2594** **2023-09-15**\ Support Maven 4\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010140%20AND%20fixVersion%20%3D%2012662)
***
**3.9.1.2184** **2022-01-12**\ Increase socket connect timeout to 30s\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12661)
***
**3.9.0.2155** **2021-04-30**\ Update dependencies\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12660)
***
**3.8.0.2131** **2021-01-13**\ Support for Bitbucket Pipelines with SonarQube 8.7+, use JDK from the build\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12659)
***
**3.7.0.1746** **2019-10-01**\ Support SONAR\_HOST\_URL environment variable to configure the server URL\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12657)
***
**3.6.1.1688** **2019-09-02**\ Fix a vulnerable dependency\
[Download](https://central.sonatype.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/versions)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10140+AND+fixVersion+%3D+12658)
As a Maven goal, the SonarScanner for Maven is available anywhere Maven is available (locally, in CI services, etc.), without the need to manually download, set up, and maintain a separate installation.
Additionally, because the Maven build process already has much of the information needed for SonarQube Cloud to successfully analyze a project, this information is automatically available to the scanner, reducing the amount of manual configuration needed.
## Prerequisites
* Maven 3.2.5+
* Java 21 or later, Java 17 has been deprecated. See [#java-runtime-environment-jre](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanner-environment/general-requirements#java-runtime-environment-jre "mention") for more details.
* Java 11 or later with JRE auto-provisioning
See also the [general-requirements](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanners/scanner-environment/general-requirements "mention") for your scanner environment page.
## A simple example
In the simplest case, you could perform the analysis manually by invoking the Maven goal, while providing the essential parameters. See the example below.
```bash
mvn clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.token= \
-Dsonar.region=us \
-Dsonar.organization= \
-Dsonar.projectKey=
```
{% hint style="warning" %}
This example is based on using a newer SonarScanner and the [US instance](https://docs.sonarsource.com/sonarqube-cloud/getting-started/getting-started-in-us-region). To use the EU instance instead, remove the row with the `sonar.region` property. For more details on this parameter, or if you're using a SonarScanner version smaller than 5.0, see [#server-connection](https://docs.sonarsource.com/sonarqube-cloud/analysis-parameters/parameters-not-settable-in-ui#server-connection "mention").
{% endhint %}
Usually, you would integrate the `mvn` invocation into your build pipeline, to be run on each commit to your repository. The following sections describe how to do this.
## Configuration
While the SonarScanner for Maven automatically detects much of the information needed for code analysis, some manual configuration is required. At a minimum, you need to supply the parameters used to authenticate and connect to the instance, and identify the project.
In general, any of these parameters can be configured just like any other maven property (in order of override priority):
* On the `mvn` command line where the scanner goal is invoked, using the `-D` argument prefix.
* In the `pom.xml` file of the project. Unlike the plain-vanilla SonarScanner CLI, the SonarScanner for Maven uses the `pom.xml` instead of the `sonar-project.properties` file.
* In the global `settings.xml`.
For more information, see [configuration-overview](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/analysis-parameters/configuration-overview "mention").
### Authentication
`sonar.token`: This is a personal access token generated in your SonarQube Cloud account at [**My Account** > **Security** > **Generate Tokens**](https://sonarcloud.io/account/security/). It allows the scanner to authenticate to SonarQube Cloud. This is usually set via the `SONAR_TOKEN` environment variable.
For example, in the GitHub Actions CI environment, you would configure a GitHub Secret called `SONAR_TOKEN` with the access token as its value. Then you might have something like the following in your `.github/workflows/build.yml`:
```yaml
...
- name: Build and Analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
...
```
The SonarScanner for Maven automatically picks up the value directly from the environment variable. If you use an environment variable, you do not need to pass the token on the `mvn` command line.
### Server connection and project identification
The parameters you need to set up the connection to the server depend on your situation. For more information, see [#server-connection](https://docs.sonarsource.com/sonarqube-cloud/analysis-parameters/parameters-not-settable-in-ui#server-connection "mention").
The properties `sonar.organization` and `sonar.projectKey` are used to identify the project. For more information, see [#project-identification](https://docs.sonarsource.com/sonarqube-cloud/analysis-parameters/parameters-not-settable-in-ui#project-identification "mention").
These parameters are usually set on the command line of the `mvn` command invoked during your build in your CI environment. For example, in the GitHub Actions CI environment, you might have the following in your `.github/workflows/build.yml`.
{% hint style="warning" %}
The following example assumes the use of a newer SonarScanner and [SonarQube Cloud’s US instance](https://docs.sonarsource.com/sonarqube-cloud/getting-started/getting-started-in-us-region). To use the EU instance instead, remove the row with the `sonar.region` property. For more details on this parameter, or if you're using an older scanner, see [#server-connection](https://docs.sonarsource.com/sonarqube-cloud/analysis-parameters/parameters-not-settable-in-ui#server-connection "mention").
{% endhint %}
```yaml
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.region=us \
-Dsonar.organization= \
-Dsonar.projectKey=
```
## Optional parameters
Additional parameters beyond the required ones can also be set, either
* in the SonarQube Cloud UI,
* in your project `pom.xml`,
* or on the command line, as appropriate.
If set on the command line they are simply appended to the `mvn` command using additional `-D` argument prefixes.
If set in the `pom.xml` they are included as part of the project properties. For example:
```xml
...
...
...
```
See the [analysis-parameters](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/analysis-parameters "mention") page for an overview of available parameters.
## Invoking the goal
When invoking the SonarScanner goal it is recommended that you do it as part of a single maven command in line with the other goals needed for the build. For example:
```bash
mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.organization= \
-Dsonar.projectKey=
```
where the `org.sonarsource.scanner.maven:sonar-maven-plugin:sonar` goal follows the `verify` goal.
This is in contrast to invoking `org.sonarsource.scanner.maven:sonar-maven-plugin:sonar` in a dedicated `mvn` invocation. For example:
```bash
mvn clean install
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.organization= \
-Dsonar.projectKey=
```
The advantage with the first technique is that the SonarScanner has access to the full build context and can therefore make a more thorough analysis. For this reason, the first technique is preferred.
### Setting the plugin version
**In the pom.xml file**
We recommend locking down versions of Maven plugins in the `pom.xml` file of the project:
```xml
org.sonarsource.scanner.maven
sonar-maven-plugin
yourPluginVersion
```
**When invoking the goal**
When invoking the scanner goal, there are two ways to set the plugin version:
* Using the fully qualified name:
```bash
org.sonarsource.scanner.maven:sonar-maven-plugin::sonar
```
* Using the shorthand `org.sonarsource.scanner.maven:sonar-maven-plugin:sonar` instead of the fully qualified name. In this case, the latest plugin version is used:
```bash
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
```
As of version 5.0 of the scanner, the analysis will run on a provided JDK17 by default. If you are working with a different Java version for your project, there might be inconsistencies between the Java API your project uses and the ones provided during the analysis. Specifying the correct JDK version will ensure that you are running the analysis with the correct Java version. See [#project-specific-jdk](https://docs.sonarsource.com/sonarqube-cloud/languages/java#project-specific-jdk "mention") article for more information.
## Code coverage
To get coverage information, you will need to generate the coverage report before the analysis and specify the location of the resulting report in an analysis parameter. See the [test-coverage](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/test-coverage "mention") page for details.
## Adjusting the analysis scope
The analysis scope of a project determines the source and test files to be analyzed.
An initial analysis scope is set by default. With the SonarScanner for Maven, the initial analysis scope is:
* For source files: all the files stored under `src/main/java` (in the root or module directories).
* For test files: all the files stored under `src/test/java` (in the root or module directories).
To adjust the analysis scope, you can:
* Adjust the initial scope. See [#adjusting-the-initial-scope](#adjusting-the-initial-scope "mention") below.
* Exclude specific files from the initial scope. See the [setting-analysis-scope](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/project-analysis/setting-analysis-scope "mention") pages.
* Exclude specific modules from the analysis. See [#excluding-a-module-from-the-analysis](#excluding-a-module-from-the-analysis "mention") below.
### Adjusting the initial scope
The initial scope is set through the `sonar.sources` property (for source files) and the `sonar.tests` property (for test files). See Analysis parameters for more information.
To adjust the initial scope, you have two options:
* override these properties by setting them explicitly in your build like any other relevant maven property. See the [setting-initial-scope](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/project-analysis/setting-analysis-scope/setting-initial-scope "mention") page.
* use the scanAll option to extend the initial scope to non-JVM-related files. See [#using-the-scanall-option-to-include-nonjvmrelated-files](#using-the-scanall-option-to-include-nonjvmrelated-files "mention") below.
### Using the scanAll option to include non-JVM-related files
You may want to analyze not only the JVM main files but also files related to configuration, infrastructure, etc. An easy way to do that is to enable the scanAll option (By default, this option is disabled.).
If the scanAll option is enabled then the initial analysis scope of *source files* will be:
* The files stored in `src/main/java.`
* The non-JVM-related files stored in the root directory of your project.
{% hint style="warning" %}
The scanAll option is disabled if the `sonar.sources` property is overridden.
{% endhint %}
To enable the scanAll option:
* Set the `sonar.maven.scanAll` property to `True`. See the [analysis-parameters](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/analysis-parameters "mention") page.
### Excluding a module from the analysis
To exclude a module from the analysis, you may:
* In the `pom.xml` of the module you want to exclude, define the `true` property.
* Use build profiles to exclude some modules (like for integration tests).
* Use Advanced Reactor Options (such as `-pl`). For example `mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -pl !module2`
## Troubleshooting
### If you get a java.lang.OutOfMemoryError
With SonarScanner for Maven version 5.0 or later
Set the `SONAR_SCANNER_JAVA_OPTS` environment variable, like this in Unix environments.
```bash
export SONAR_SCANNER_JAVA_OPTS="-Xmx512m"
```
In Windows environments, avoid the double quotes, since they get misinterpreted.
```bash
set SONAR_SCANNER_JAVA_OPTS=-Xmx512m
```
With SonarScanner for Maven version 4.0 or earlier
Set the `MAVEN_OPTS` environment variable, like this in Unix environments:
```bash
export MAVEN_OPTS="-Xmx512m"
```
In Windows environments, avoid the double quotes, since they get misinterpreted:
```bash
set MAVEN_OPTS=-Xmx512m
```
## Related pages
* [getting-started-in-us-region](https://docs.sonarsource.com/sonarqube-cloud/getting-started/getting-started-in-us-region "mention")