About external issues
Issues generated by third-party analyzers can be imported into SonarQube Community Build.
Many languages have dedicated analyzers (also known as linters) that are commonly used to spot problems in code. SonarQube can integrate the results from many of these external analyzers. This lets you see this information alongside the other SonarQube metrics and allows the external results to be taken into account when calculating quality gate status.
If your analyzer doesn't integrate with SonarQube Community Build, you can import the external issues either in the generic SonarQube format or in the SARIF format.
List of supported analyzers
The table below lists the third-party analyzers that integrate with SonarQube Community Build.
Cloudformation
AWS CloudFormation Linter
C#/VB.NET
Roslyn (inc. Roslyn analyzers provided by Microsoft)
CSS
StyleLint.io
Docker
Hadolint
Go
GoVet, GoLint, GoMetaLinter, golanci-lint, gosec
Java
SpotBugs, FindSecBugs, FindBugs, PMD, Checkstyle
JavaScript/TypeScript
ESLint
Kotlin
AndroidLint, Detekt, Ktlint
PHP
Psalm, PHPStan
Python
Pylint, Bandit, Flake8, Mypy, Ruff
Ruby
Rubocop
Scala
Scalastyle, Scapegoat
Terraform
TFLint
Limitations
The external issues will be taken into account by SonarQube in the analysis report and users will be able to resolve an external issue the same way as an internal issue.
But external issues have an important limitation. The activation of the rules that raise these issues cannot be managed within SonarQube. External rules are not visible on the Rules page or reflected in any quality profile.
Related pages
Last updated
Was this helpful?