About external issues

Issues generated by third-party analyzers can be imported into SonarQube Community Build.

Many languages have dedicated analyzers (also known as linters) that are commonly used to spot problems in code. SonarQube can integrate the results from many of these external analyzers. This lets you see this information alongside the other SonarQube metrics and allows the external results to be taken into account when calculating quality gate status.

If your analyzer doesn't integrate with SonarQube Community Build, you can import the external issues either in the generic SonarQube format or in the SARIF format.

List of supported analyzers

The table below lists the third-party analyzers that integrate with SonarQube Community Build.

Language
External analyzers

Cloudformation

AWS CloudFormation Linter

C#/VB.NET

Roslyn (inc. Roslyn analyzers provided by Microsoft)

CSS

StyleLint.io

Docker

Hadolint

Go

GoVet, GoLint, GoMetaLinter, golanci-lint, gosec

Java

SpotBugs, FindSecBugs, FindBugs, PMD, Checkstyle

JavaScript/TypeScript

ESLint

Kotlin

AndroidLint, Detekt, Ktlint

PHP

Psalm, PHPStan

Python

Pylint, Bandit, Flake8, Mypy, Ruff

Ruby

Rubocop

Scala

Scalastyle, Scapegoat

Terraform

TFLint

Limitations

The external issues will be taken into account by SonarQube in the analysis report and users will be able to resolve an external issue the same way as an internal issue.

But external issues have an important limitation. The activation of the rules that raise these issues cannot be managed within SonarQube. External rules are not visible on the Rules page or reflected in any quality profile.

Managing an external issue within SonarQube has no impact on its state in the external tool. For example, when you mark an issue as false positive in SonarQube, it is not reflected in the external tool.

External analyzer reports

Generic formatted reports

SARIF reports

Last updated

Was this helpful?