External analyzer reports

SonarQube Cloud can integrate the results from many external dedicated analyzers (also known as linters) that are commonly used to spot problems in code.

Many languages have dedicated analyzers (also known as linters) that are commonly used to spot problems in code. SonarQube Cloud can integrate the results from many of these external analyzers. This lets you see this information alongside the other SonarQube Cloud metrics and allows the external results to be taken into account when calculating quality gate status.

To set this up you need to configure some SonarQube Cloud analysis parameters in your build environment. Note that external analyzer report integration is only available for CI-based analysis. It is not available for automatic analysis.

Below, you’ll find language- and tool-specific analysis parameters for importing reports generated by external analyzers. For information on analysis parameters in general, see Analysis Parameters.

For instructions on generating reports using various external analyzers, see the Guides category of the SonarSource Community forum.

Parameters

Unless otherwise specified, the following properties accept both absolute paths and paths relative to the project root.

Language
Property
Remarks

Ansible

sonar.ansible.ansible-lint.reportPaths

Comma-delimited list of paths to ansible-lint reports in SARIF format (use --sarif-file ansible-lint option).

Apex

sonar.apex.pmd.reportPaths

Comma-delimited list of paths to PMD Apex, XML reports. Make sure the path in the PMD report matches the path used by analysis. Note: The format of PMD reports generated by sfdx-scanner does not seem to perfectly match the format used by PMD. An alternative is to export to SARIF format instead of PMD.

CloudFormation

sonar.cloudformation.cfn-lint.reportPaths

Comma-delimited list of paths to AWS CloudFormation Linter reports in JSON format

CSS

sonar.css.stylelint.reportPaths

Comma-delimited list of paths to StyleLint.io reports.

C/C++/Objective-C

sonar.cfamily.valgrind.reportPaths

Comma-delimited list of paths to Valgrind Memcheck and Helgrind XML reports.

Docker

sonar.docker.hadolint.reportPaths

Comma-delimited list of paths to Hadolint reports in JSON and `sonarqube` format.

Go

sonar.go.govet.reportPaths

Comma-delimited list of paths to GoVet reports.

Go

sonar.go.golint.reportPaths

Comma-delimited list of paths to GoLint reports.

Go

sonar.go.gometalinter.reportPaths

Comma-delimited list of paths to GoMetaLinter reports.

Go

sonar.go.golangci-lint.reportPaths

Comma-delimited list of paths to golangci-lint reports in checkstyle format (use --out-format checkstyle golangci-lint option).

Go

sonar.externalIssuesReportPaths

Comma-delimited list of paths to gosec reports in SonarQube format (use -fmt=sonarqube gosec option). Note: this is the Generic issue data parameter.

Java

sonar.java.spotbugs.reportPaths

SpotBugs, FindSecBugs, or FindBugs report in XML format that specifies:

• sourcepath, a colon separated list of source folders that is essential for SonarQube to map the files.

• xml:withMessages, that maps to the generated report file.

Check out the spotbugs-example project on Github that contains two xml examples.

Java

sonar.java.pmd.reportPaths

Comma-delimited list of paths to reports from PMD.

Java

sonar.java.checkstyle.reportPaths

Comma-delimited list of paths to reports from Checkstyle.

JavaScript/Typescript

sonar.eslint.reportPaths

Comma-delimited list of paths to JSON ESLint reports (use -f json ESLint option). Example:

eslint ./ -f json > eslint-report.json

sonar -Dsonar.eslint.reportPaths=eslint-report.json

JavaScript/Typescript

sonar.typescript.tslint.reportPaths

Comma-delimited list of paths to TSLint reports in JSON format (use -t json TSLint option).

See the ESLint page for more information.

Kotlin

sonar.androidLint.reportPaths

Comma-delimited list of paths to AndroidLint reports.

Kotlin

sonar.kotlin.detekt.reportPaths

Comma-delimited list of paths to Detekt reports.

PHP

sonar.php.psalm.reportPaths

Comma-delimited list of paths to Psalm reports. SonarQube Cloud expects the reports to be generated in the Generic issue data. To produce this format, run Psalm with the option --output-format sonarcloud (or --output-format sonarqube).

PHP

sonar.php.phpstan.reportPaths

Comma-delimited list of paths to PHPStan reports. SonarQube Cloud expects the reports to be generated in the PHPStan JSON Output Format. To produce this format, run the PHPStan analyse command with the option --error-format=json.

Python

sonar.python.pylint.reportPaths

Comma-delimited list of paths to Pylint reports (use --output-format=parseablePylint option).

Python

sonar.python.bandit.reportPaths

Comma-delimited list of paths to Bandit reports.

Python

sonar.python.flake8.reportPaths

Comma-delimited list of paths to Flake8 reports.

Python

sonar.python.mypy.reportPaths

comma-delimited list of paths to Mypy reports.

Python

sonar.python.ruff.reportPaths

comma-delimited list of paths to Ruff reports.

Ruby

sonar.ruby.rubocop.reportPaths

Comma-delimited list of paths to Rubocop reports.

Scala

sonar.scala.scalastyle.reportPaths

Comma-delimited list of paths to Scalastyle reports.

Scala

sonar.scala.scapegoat.reportPaths

Comma-delimited list of paths to Scapegoat reports in the Scalastyle format.

Swift

sonar.swift.swiftLint.reportPaths

Comma-delimited list of paths to SwiftLint reports in JSON format. Use the --reporter json option.

Terraform

sonar.terraform.tfLint.reportPaths

Comma-delimited list of paths to TFLint reports in JSON format

C#

sonar.cs.roslyn.ignoreIssues

Set to true to disable import of external issues. Defaults to false.

C#

sonar.cs.roslyn.bugCategories

Comma-delimited list of categories whose issues should be classified as bugs.

C#

sonar.cs.roslyn.vulnerabilityCategories

Comma-delimited list of categories whose issues should be classified as vulnerabilities.

C#

sonar.cs.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as code smells.

VB.NET

sonar.vbnet.roslyn.ignoreIssues

Set to true to disable import of external issues. Defaults to false.

VB.NET

sonar.vbnet.roslyn.bugCategories

Comma-delimited list of categories whose issues should be classified as bugs.

VB.NET

sonar.vbnet.roslyn.vulnerabilityCategories

Comma-delimited list of categories whose issues should be classified as vulnerabilities.

VB.NET

sonar.vbnet.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as code smells.

Notes on external .NET (C# or VB.NET) issues

Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube Cloud so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.

Note that Roslyn issues with an error severity automatically fail the build, and it is not recommended to run the SonarScanner for .NET’s end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis, which will close all outstanding issues in the project. See Configuring the scanner for .NET for more information.

External issue lifecycle

The lifecycle of external issues is identical to the lifecycle of internal issues. This means that you can resolve an external issue the same way you would resolve an internal issue. For details, see Introduction to managing code issues.

Note that managing an external issue within SonarQube Cloud has no impact on its state in the external tool. For example, when you mark an issue as false positive in SonarQube Cloud, it is not reflected in the external tool.

Limitation

External issues have an important limitation. The activation of the rules that raise these issues cannot be managed within SonarQube Cloud. External rules are not visible on the Rules page or reflected in any quality profile.

Last updated

Was this helpful?