# Using the scanner

You can start the SonarScanner for NPM and thus, integrate it into your CI or build pipeline, in the following ways:

* From the command line: A global mode installation of the scanner is required.
* From the command line with npx: No scanner installation is required.
* By adding the analysis step to your build files: The scanner must be added to the project’s devDependencies.

You can pass analysis parameters in the command line and in the analysis step coded in JS. In addition, the SonarScanner for NPM gets analysis parameters from different other sources: see the [configuring](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanners/sonarscanner-for-npm/configuring "mention") page.

## Starting the scanner from the command line <a href="#command-line" id="command-line"></a>

1. Make sure the scanner is installed in global mode. See the [installing](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanners/sonarscanner-for-npm/installing "mention") page for instructions.
2. Use the `sonar-scanner` command to start the analysis.\
   To pass analysis parameters in the command line, use the standard `-Dsonar.xxx=yyy` syntax.

```bash
sonar -Dsonar.region=us -Dsonar.token=<YOUR_TOKEN> -Dsonar.organization=<YOUR_ORGANIZATION_KEY> 
```

{% hint style="warning" %}
This example is based on using a newer SonarScanner version with the US instance of SonarQube Cloud. To use the EU instance instead, remove the `sonar.region` property setting. For more details on this parameter, or if you're using a SonarScanner version smaller than 4.0, see [#server-connection](https://docs.sonarsource.com/sonarqube-cloud/analysis-parameters/parameters-not-settable-in-ui#server-connection "mention").
{% endhint %}

Passing a project key is optional: the scanner for NPM uses the `name` field of the `package.json` file as project key. However, you can override the project key by passing the `-Dsonar.projectKey` to the command line.

## Starting the scanner from the command line with npx <a href="#npx" id="npx"></a>

* Use the `npx @sonar/scan` command to start the analysis.\
  To pass analysis parameters in the command line, use the standard `-Dsonar.xxx=yyy` syntax.\
  Example:

```bash
npx @sonar/scan -Dsonar.region=us -Dsonar.token=<YOUR_TOKEN>
```

{% hint style="warning" %}
This example is based on using a newer SonarScanner version with the US instance of SonarQube Cloud. To use the EU instance instead, remove the `sonar.region` property setting. For more details on this parameter, or if you're using a SonarScanner version smaller than 4.0, see [#server-connection](https://docs.sonarsource.com/sonarqube-cloud/analysis-parameters/parameters-not-settable-in-ui#server-connection "mention").
{% endhint %}

## Adding the analysis step to your build files <a href="#add-to-build-files" id="add-to-build-files"></a>

1. Make sure the scanner is installed in your project’s devDependencies: see the [installing](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanners/sonarscanner-for-npm/installing "mention") page.
2. Code the analysis step in JS in your build files, as shown in the example below.

```javascript
const scanner = require('@sonar/scan');
scanner(
  {
    serverUrl: 'https://sonarqube.mycompany.com',
    token: '019d1e2e04eefdcd0caee1468f39a45e69d33d3f', 
    options: {
      'sonar.projectName': 'My App',
      'sonar.projectDescription': 'Description for "My App" project...',
      'sonar.sources': 'src',
      'sonar.tests': 'test', 
    },
  },
  () => process.exit(),
);
```

Where the syntax is as follows:

```javascript
scanner ( parameters, [callback] )
```

* parameters (format: Map)
  * serverUrl (format: String; optional): The URL of the SonarQube server. Defaults to the value of the SonarQube Cloud URL (`sonar.scanner.cloudUrl` property).
  * token (format: String; optional): The token used to connect to the SonarQube server or SonarQube Cloud. Empty by default. You can use a Personal Access Token or (recommended, from the Team plan) a Scoped Organization Token.
  * options (format: Map; optional): Used to pass extra parameters for the analysis. See Configuring the analysis parameters for more details.
* callback (format: Function; optional): Callback (the execution of the analysis is asynchronous).

## Starting the scanner from the command line with pnpx <a href="#pnpx" id="pnpx"></a>

`@sonar/scan` has multiple binaries, so pnpx will ask which binary to provide. The approach recommended by pnpm is to use the following syntax:

```bash
pnpm --package=@sonar/scan dlx sonar -Dsonar.region=us -Dsonar.token=<YOUR_TOKEN>
```

{% hint style="warning" %}
This example is based on using a newer SonarScanner version with the US instance of SonarQube Cloud. To use the EU instance instead, remove the `sonar.region` property setting. For more details on this parameter, or if you're using a SonarScanner version smaller than 4.0, see [#server-connection](https://docs.sonarsource.com/sonarqube-cloud/analysis-parameters/parameters-not-settable-in-ui#server-connection "mention").
{% endhint %}

## Related pages

* [configuring](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanners/sonarscanner-for-npm/configuring "mention")
* [managing-tokens](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens "mention")
* [scoped-organization-tokens](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-organization/scoped-organization-tokens "mention")
* [getting-started-in-us-region](https://docs.sonarsource.com/sonarqube-cloud/getting-started/getting-started-in-us-region "mention")