SonarQube Community Build analysis overview

With SonarQube Community Build, you can analyze your project’s main branch. Starting in the SonarQube Server Developer Edition, you can analyze multiple branches and pull requests.

Code analysis with the SonarScanner

The SonarScanner performs the source code analysis. This stand-alone program runs on the CI/CD host and sends the analysis results to SonarQube Community Build, which computes them, calculates the quality gate, and generates reports. 

To perform the analysis, the SonarScanner uses the language analyzers that it downloads from SonarQube Community Build at installation.

The Sonar Solution offers SonarScanners that integrate with the following build systems: Gradle, Maven, .NET, NPM, and Python. For other project types, the SonarScanner CLI which requires more manual configuration is used.

Analysis process

Essentially, the main steps of the analysis process are:

1. Your build or CI pipeline starts the SonarScanner. 
2. The SonarScanner scans the local repository and determines the files to be analyzed according to the configured analysis scope. 
3. The scanner sends an analysis request to the respective language analyzer which retrieves the files to be analyzed from the file system and analyzes them according to the configured quality profile. 
4. The analyzer sends the analysis results (quality measures and issues) to the scanner which forwards them to SonarQube Community Build in the form of a report. 
5. SonarQube Community Build computes the analysis results asynchronously to perform the following:
   • It identifies the new issues according to the configured New Code definition and raises them in both the new code and the overall code (It uploads the code as part of the analysis and shows users the code that it raised issues on. Unanalyzed changes in the code are not visible.).
   • It computes the quality gate.
   • It generates reports.

Integration into your CI pipeline

By integrating the SonarQube Community Build analysis into your CI pipeline, you can use the following analysis features for your projects: main branch analysis, and, starting in Developer Edition, pull request analysis and multiple branch analysis.

The relevant CI pipeline steps with SonarQube Community Build integration are:

1. A developer pushes changes on a branch to the remote repository.
2. A CI pipeline is triggered for the specific branch. For this purpose, webhooks may be used when events occur in the Source Control Management (SCM) system or the repository may be monitored by a CI/CD tool like Jenkins.
3. The pipeline clones the remote repository and checks out the relevant branch to the local repository on the CI/CD host (The code and SCM metadata are copied.).
4. In the case of a compiled programming language, the pipeline builds the code.
5. The pipeline executes the appropriate Sonar Scanner to analyze the code.
6. The scanner sends the analysis results to SonarQube Community Build, which computes them.
7. The Server sends the Quality Gate computation result to the CI pipeline (This step is optional.).
8. The pipeline continues (if the Quality Gate succeeds) or stops (otherwise).

Scanner engine and analyzers download at analysis time

A SonarScanner is a scanner bootstrapper that downloads the scanner engine and language analyzers from SonarQube Server at analysis time. This way:

• It ensures that the scanner engine and analyzer versions are compatible with SonarQube Server.
• Only the analyzers necessary to analyze the detected languages are downloaded. 

The figure below shows a simplified view of the download process of the scanner engine and language analyzers. For each analysis run:

1. The CI or build pipeline starts the SonarScanner.
2. The SonarScanner connects to SonarQube Server to retrieve the scanner engine version to be used. It checks the scanner cache for the scanner engine version. If it doesn't find it, it downloads it from SonarQube Server and stores it in the cache.
3. The scanner engine scans the code to identify the different languages used in the project to be analyzed.
4. The scanner engine checks the scanner cache for the required language analyzers. If it doesn't find them, it downloads them from SonarQube Server and stores them in the cache.

Related pages

• Setting up your project analysis
• Troubleshooting your analysis