# SonarScanner for Gradle
SonarScanner for Gradle — 7.2.3.7755 | Issue Tracker
**7.2.3.7755** **2026-03-04**\ Fix an issue with improper filtering of user-defined path properties\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/7.2.3.7755)\
\
[Release notes](https://sonarsource.atlassian.net/issues?jql=project%20%3D%20SCANGRADLE%20AND%20fixversion%20%3D%207.2.3)
***
**7.2.2.6593** **2025-12-18**\ Fix regression where wildcards were no longer supported in path properties\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/7.2.2.6593)\
\
[Release notes](https://sonarsource.atlassian.net/issues?jql=project%20%3D%20SCANGRADLE%20AND%20fixversion%20%3D%207.2.2)
***
**7.2.1.6560** **2025-12-12**\ Fix an issue where Gradle would fail to write the configuration cache because of concurrent modifications\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/7.2.1.6560)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20AND%20fixversion%20%3D%207.2.1)
***
**7.2.0.6526** **2025-12-04**\ Support for Gradle configuration-cache feature.\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/7.2.0.6526)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20AND%20fixversion%20%3D%207.2)
***
**7.1.0.6387** **2025-11-20**\ Fix execution failure when executing Sonar with Gradle parallel execution activated.\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/7.1.0.6387)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20AND%20fixversion%20%3D%207.1)
***
**7.0.1.6134** **2025-10-24**\ Support of Gradle 9\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/7.0.1.6134)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20AND%20fixversion%20%3D%207.0.1)
***
**7.0.0.6105** **2025-10-14**\ Support of Gradle 9\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/7.0.0.6105)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%207.0)
***
**6.3.1.5724** **2025-08-27**\ Fix a bug where the scanner would crash when users would define `sonar.sources`.\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/6.3.1.5724)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%206.3.1)
***
**6.3.0.5676** **2025-08-25**\ Index .github folder for analysis.\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/6.3.0.5676)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%206.3)
***
**6.2.0.5505** **2025-05-15**\ Better logging of the execution context and migration from deprecated Gradle APIs.\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/6.2.0.5505)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%206.2)
***
**6.1.0.5360** **2025-03-25**\ Add support for SonarQube Cloud regions\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/6.1.0.5360)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%206.1)
***
**6.0.1.5171** **2024-11-27**\ Support of JRE auto-provisioning\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/6.0.1.5171)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%206.0.1)
***
**6.0.0.5145** **2024-11-19**\ Support of JRE auto-provisioning\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/6.0.0.5145)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%206.0)
***
**5.1.0.4882** **2024-07-04**\ Scan additional files outside of conventional Gradle folders\
[Download](https://plugins.gradle.org/plugin/org.sonarqube/5.1.0.4882)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%205.1)
***
**5.0.0.4638** **2024-03-26**\ Decouple sonar task from Gradle compile tasks\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20and%20fixversion%20%3D%205.0)
***
**4.4.1.3373** **2023-10-03**\ Allow the skipping/forcing of compile tasks through the property "sonar.gradle.skipCompile"\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20AND%20fixVersion%20in%20\(4.4%2C%204.4.1\))
***
**4.3.1.3277** **2023-09-01**\ Support for analysis of Gradle Kotlin DSL files\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20AND%20fixVersion%20%3D%2014283)
***
**4.2.1.3168** **2023-06-12**\ Support for Kotlin Multiplatform and 'sonar.java.enablePreview' property, Java 11+ required\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project%20%3D%2010137%20AND%20fixVersion%20%3D%2014114)
***
**4.0.0.2929** **2023-02-17**\ Support for Gradle 8\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+14039)
***
**3.5.0.2730** **2022-10-27**\ New 'sonar' task name and better support for Android projects\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12396)
***
**3.4.0.2513** **2022-06-08**\ Support Gradle 8 and Java 17, increase socket connect timeout to 30s\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12395)
***
**3.3** **2021-06-10**\ Support Android dynamic features modules\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12394)
***
**3.2** **2021-04-30**\ Support configuration caching\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12392)
***
**3.1.1** **2021-01-25**\ Bug fix on the JDK path\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12393)
***
**3.1** **2021-01-13**\ Support for Bitbucket Pipelines with SonarQube 8.7+, use JDK from the build\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12391)
***
**3.0** **2020-06-02**\ Change task dependencies on tests, upgrade to Gradle 5\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12390)
***
**2.8** **2019-10-01**\ Support SONAR\_HOST\_URL environment variable to configure the server URL\
[Download](https://plugins.gradle.org/plugin/org.sonarqube)\
\
[Release notes](https://sonarsource.atlassian.net/issues/?jql=project+%3D+10137+AND+fixVersion+%3D+12388)
The SonarScanner for Gradle provides an easy way to start the scan of a Gradle project.
The ability to execute the SonarScanner analysis via a regular Gradle task makes it available anywhere Gradle is available (developer build, CI server, etc.), without the need to manually download, setup, and maintain a SonarScanner CLI installation. The Gradle build already has much of the information needed for the SonarScanner to successfully analyze a project. By preconfiguring the analysis based on that information, the need for manual configuration is reduced significantly.
## Prerequisites
* Gradle 7.3+ (except for 8.1 and 8.2)
* Java 17 or later
Bytecode created by `javac` compilation is required for Java analysis, including Android projects.
See also the [general-requirements](https://docs.sonarsource.com/sonarqube-server/10.6/analyzing-source-code/scanners/general-requirements "mention").
## Configure the scanner
Installation is automatic, but certain global properties should still be configured. A good place to configure global properties is `~/.gradle/gradle.properties`. Be aware that the scanner uses system properties so all properties should be prefixed by `systemProp`.
```css-79elbk
# gradle.properties
systemProp.sonar.host.url=http://localhost:9000
```
## Analyzing
First, you need to activate the scanner in your build. Kotlin DSL is the default choice for new Gradle builds.
{% tabs %}
{% tab title="KOTLIN DSL" %}
Apply the SonarQube plugin dependency to your `build.gradle.kts` file:
```css-79elbk
plugins {
id("org.sonarqube") version "versionNumber" // Replace with latest scanner version number
}
sonar {
properties {
property("sonar.projectKey", "myProjectKey")
property("sonar.host.url", "myHostUrl")
}
}
```
{% endtab %}
{% tab title="GROOVY DSL" %}
If you use Groovy DSL, it is still supported for Gradle 2.1+. In that case, apply the SonarQube plugin dependency to your `build.gradle` file:
```css-79elbk
plugins {
id "org.sonarqube" version "versionNumber" // Replace with latest scanner version number
}
sonar {
properties {
property "sonar.projectKey", "myProjectKey"
property "sonar.host.url", "myHostUrl"
}
}
```
{% endtab %}
{% endtabs %}
Ensure that you declare the plugins in the correct sequence required by Gradle, that is, after the buildscript block in your `build.gradle` file. More details on [Gradle - Plugin: org.sonarqube](https://plugins.gradle.org/plugin/org.sonarqube).
Assuming a local SonarQube server with out-of-the-box settings is up and running, no further configuration is required.
You need to pass an [generating-and-using-tokens](https://docs.sonarsource.com/sonarqube-server/10.6/user-guide/user-account/generating-and-using-tokens "mention") using one of the following options:
* Use the `sonar.token` property in your command line: Execute `gradle sonar -Dsonar.token=yourAuthenticationToken` and wait until the build has completed.
* Create the `SONAR_TOKEN` environment variable and set the token as its value before you run the analysis.
Once passing your token and running an analysis, open the web page indicated at the bottom of the console output. Your analysis results should be available shortly after the CI-side analysis is complete.
{% hint style="info" %}
The SonarScanners run on code that is checked out. See [verifying-code-checkout-step](https://docs.sonarsource.com/sonarqube-server/10.6/analyzing-source-code/various-setups/verifying-code-checkout-step "mention").
{% endhint %}
## Analyzing multi-project builds
To analyze a project hierarchy, apply the SonarQube plugin to the root project of the hierarchy. Typically (but not necessarily) this will be the root project of the Gradle build. Information pertaining to the analysis as a whole has to be configured in the `sonar` block of this project. Any properties set on the command line also apply to this project.
A configuration shared between subprojects can be configured in a subprojects block.
```css-79elbk
// build.gradle
subprojects {
sonar {
properties {
property "sonar.sources", "src"
}
}
}
```
Project-specific information is configured in the `sonar` block of the corresponding project.
```css-79elbk
// build.gradle
project(":project1") {
sonar {
properties {
property "sonar.branch.name", "Foo"
}
}}
```
To skip SonarScanner analysis for a particular subproject, set `sonarqube.skipProject` to true.
```css-79elbk
// build.gradle
project(":project2") {
sonar {
skipProject = true
}
}
```
## Task dependencies
All tasks that produce output that should be included in the SonarScanner analysis need to be executed before the `sonar` task runs. Typically, these are compile tasks, test tasks, and [overview](https://docs.sonarsource.com/sonarqube-server/10.6/analyzing-source-code/test-coverage/overview "mention") tasks.
Starting with v3.0 of the SonarScanner for Gradle, task dependencies are no longer added automatically. Instead, the SonarScanner plugin enforces the correct order of tasks with `mustRunAfter`. You need to be either manually run the tasks that produce output before `sonarqube`, or you can add a dependency to the build script:
```css-79elbk
// build.gradle
project.tasks["sonar"].dependsOn "anotherTask"
```
## Sample project
A simple working example is available at this URL so you can check everything is correctly configured in your env:\
## Adjusting the analysis scope
The analysis scope of a project determines the source and test files to be analyzed.
An initial analysis scope is set by default. With the SonarScanner for Gradle, the initial analysis scope is:
* For source files: all the files stored under `src/main/java` (in the root or module directories).
* For test files: all the files stored under `src/test/java` (in the root or module directories).
Since SonarScanner for Gradle also supports Groovy and Kotlin, the initial scope will also include `src/main/kotlin` or `src/main/groovy` for source and test files, depending on the type of project.
To adjust the analysis scope, you can:
* Adjust the initial scope: see below.
* And/or exclude specific files from the initial scope: see [analysis-scope](https://docs.sonarsource.com/sonarqube-server/10.6/project-administration/analysis-scope "mention").
### Adjusting the initial scope
The initial scope is set through the `sonar.sources` property (for source files) and the `sonar.tests` property (for test files). See [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/10.6/analyzing-source-code/analysis-parameters "mention") for more information.
To adjust the initial scope, you can:
* Either override these properties by setting them explicitly in your build like any other relevant gradle property: see [analysis-scope](https://docs.sonarsource.com/sonarqube-server/10.6/project-administration/analysis-scope "mention").
* Or use the scanAll option to extend the initial scope to non-JVM-related files. See below.
### Using the scanAll option to include non-JVM-related files
You may want to analyze not only the JVM main files but also files related to configuration, infrastructure, etc. An easy way to do that is to enable the scanAll option (By default, this option is disabled.)
If the scanAll option is enabled then the initial analysis scope of *source files* will be:
* The files stored in *src/main/java* (and *src/main/kotlin* or *src/main/groovy*, depending on the type of project).
* The non-JVM-related files stored in the root directory of your project.
{% hint style="warning" %}
The scanAll option is disabled if the `sonar.sources` or `sonar.tests` property is overridden.
{% endhint %}
To enable the scanAll option, Set the `sonar.gradle.scanAll` property to `True`.
## Analysis property defaults
The SonarScanner for Gradle uses information contained in Gradle’s object model to provide smart defaults for most of the standard [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/10.6/analyzing-source-code/analysis-parameters "mention"), as listed below. Note that additional defaults are provided depending on the projects.
### Gradle defaults for standard Sonar properties
| **Property** | **Gradle default** |
| -------------------------- | ------------------------------------------------------------------------------------------------------ |
| `sonar.projectKey` | `[${project.group}:]${project.name}` for root module; `:` for submodules |
| `sonar.projectName` | `${project.name}` |
| `sonar.projectDescription` | `${project.description}` |
| `sonar.projectVersion` | `${project.version}` |
| `sonar.projectBaseDir` | `${project.projectDir}` |
| `sonar.working.directory` | `${project.buildDir}/sonar` |
### Additional defaults for projects with Java-base or Java plugin applied
| **Property** | **Gradle default** |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| `sonar.sourceEncoding` | `${project.compileJava.options.encoding}` |
| `sonar.java.source` | `${project.targetCompatibility}` |
| `sonar.java.target` | `${project.targetCompatibility}` |
| `sonar.sources` | `${sourceSets.main.allJava.srcDirs}` (filtered to only include existing directories) |
| `sonar.tests` | `${sourceSets.test.allJava.srcDirs}` (filtered to only include existing directories) |
| `sonar.java.binaries` | `${sourceSets.main.output.classesDir}` |
| `sonar.java.libraries` | `${sourceSets.main.compileClasspath}` (filtering to only include files; rt.jar and jfxrt.jar added if necessary) |
| `sonar.java.test.binaries` | `${sourceSets.test.output.classesDir}` |
| `sonar.java.test.libraries` | `${sourceSets.test.compileClasspath}` (filtering to only include files; rt.jar and jfxrt.jar added if necessary) |
| `sonar.junit.reportPaths` | `${test.testResultsDir}` (if the directory exists) |
### Additional default for Groovy projects
| **Property** | **Gradle default** |
| ----------------------- | -------------------------------------- |
| `sonar.groovy.binaries` | `${sourceSets.main.output.classesDir}` |
### Additional defaults for Android projects
Additional defaults are provided for Android projects (`com.android.application`, `com.android.library`, or `com.android.test`). By default the first variant of type `debug` will be used to configure the analysis. You can override the name of the variant to be used using the parameter `androidVariant`:
| **Property** | **Gradle default** |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `sonar.sources` (for non test variants) | `${variant.sourcesets.map}` (ManifestFile/CDirectories/AidlDirectories/AssetsDirectories/CppDirectories/JavaDirectories/RenderscriptDirectories/ResDirectories/ResourcesDirectories) |
| `sonar.tests` (for test variants) | `${variant.sourcesets.map}` (ManifestFile/CDirectories/AidlDirectories/AssetsDirectories/CppDirectories/JavaDirectories/RenderscriptDirectories/ResDirectories/ResourcesDirectories) |
| `sonar.java[.test].binaries` | `${variant.destinationDir}` |
| `sonar.java[.test].libraries` | `${variant.javaCompile.classpath} + ${bootclasspath}` |
| `sonar.java.source` | `${variant.javaCompile.sourceCompatibility}` |
| `sonar.java.target` | `${variant.javaCompile.targetCompatibility}` |
```css-79elbk
build.gradle
sonar {
androidVariant 'fullDebug'
}
```
## Passing manual properties / overriding defaults
The SonarScanner for Gradle adds a `sonar` extension to the project and its subprojects, which allows you to configure/override the analysis properties.
```css-79elbk
// in build.gradle
sonar {
properties {
property "sonar.exclusions", "**/*Generated.java"
}
}
```
Sonar properties can also be set from the command line, or by setting a system property named exactly like the Sonar property in question. This can be useful when dealing with sensitive information (e.g. credentials), environment information, or for ad-hoc configuration.
```css-79elbk
gradle sonar -Dsonar.host.url=http://sonar.mycompany.com -Dsonar.verbose=true
```
While certainly useful at times, we recommend keeping the bulk of the configuration in a (versioned) build script, readily available to everyone. A Sonar property value set via a system property overrides any value set in a build script (for the same property). When analyzing a project hierarchy, values set via system properties apply to the root project of the analyzed hierarchy. Each system property starting with `sonar.` will be taken into account.
## Analyzing custom source sets
By default, the SonarScanner for Gradle passes on the project’s main source set as production sources, and the project’s test source set as test sources. This works regardless of the project’s source directory layout. Additional source sets can be added as needed.
```css-79elbk
// build.gradle
sonar {
properties {
properties["sonar.sources"] += sourceSets.custom.allSource.srcDirs
properties["sonar.tests"] += sourceSets.integTest.allSource.srcDirs
}
}
```
## Advanced topics
### If your SonarQube server is secured
If your SonarQube server is [#securing-the-server-behind-a-proxy](https://docs.sonarsource.com/sonarqube-server/10.6/setup-and-upgrade/configure-and-operate-a-server/operating-the-server#securing-the-server-behind-a-proxy "mention") and a self-signed certificate then you must add the self-signed certificate to the trusted CA certificates of the SonarScanner. In addition, if mutual TLS is used then you must define the access to the client certificate at the SonarScanner level.
See [manage-tls-certificates](https://docs.sonarsource.com/sonarqube-server/10.6/analyzing-source-code/various-setups/manage-tls-certificates "mention").
### More on configuring SonarQube properties
Let’s take a closer look at the `sonar.properties` block. As we have already seen in the examples, the `property` method allows you to set new properties or override existing ones. Furthermore, all properties that have been configured up to this point, including all properties preconfigured by Gradle, are available via the properties accessor.
Entries in the properties map can be read and written with the usual Groovy syntax. To facilitate their manipulation, values still have their "idiomatic" type (File, List, etc.). After the `sonar.properties` block has been evaluated, values are converted to Strings as follows: Collection values are (recursively) converted to comma-separated Strings, and all other values are converted by calling their `toString` methods.
Because the `sonar.properties` block is evaluated lazily, properties of Gradle’s object model can be safely referenced from within the block, without having to fear that they have not yet been set.
## Troubleshooting
**If you get a java.lang.OutOfMemoryError**
With SonarScanner for Gradle version 6.0 or later
Configure the sonar task in the `build.gradle` file:
```css-79elbk
sonar {
properties {
property("sonar.scanner.javaOpts", "-Xmx512m")
}
}
```
Or set the SONAR\_SCANNER\_JAVA\_OPTS environment variable, like this in Unix environments:
```css-79elbk
export SONAR_SCANNER_JAVA_OPTS="-Xmx512m"
```
In Windows environments, avoid the double quotes, since they get misinterpreted.
```css-79elbk
set SONAR_SCANNER_JAVA_OPTS=-Xmx512m
```
With SonarScanner for Gradle version 5.1 or earlier
Increase the java heap size in your `gradle.properties` file:
```css-79elbk
org.gradle.jvmargs=-Xmx512m
```
**If you get a java.lang.OutOfMemoryError: Metaspace**
With SonarScanner for Gradle version 6.0 or later
Configure the sonar task in the `build.gradle` file:
```css-79elbk
sonar {
properties {
property("sonar.scanner.javaOpts", "--XX:MetaspaceSize=512M -XX:MaxMetaspaceSize=512M")
}
}
```
Or set the SONAR\_SCANNER\_JAVA\_OPTS environment variable, like this in Unix environments.
```css-79elbk
export SONAR_SCANNER_JAVA_OPTS="-XX:MetaspaceSize=512M -XX:MaxMetaspaceSize=512M"
```
In Windows environments, avoid the double quotes, since they get misinterpreted.
```css-79elbk
set SONAR_SCANNER_JAVA_OPTS=-XX:MetaspaceSize=512M -XX:MaxMetaspaceSize=512M
```
With SonarScanner for Gradle version 5.1 or earlier
Increase the java heap size in your `gradle.properties` file:
```css-79elbk
org.gradle.jvmargs=-XX:MetaspaceSize=512M -XX:MaxMetaspaceSize=512M
```
**Task not found in root project**
Sometimes Gradle has a difficult time seeing arguments as arguments and instead sees them as tasks to perform. When passing commands on Windows, this can be overcome by passing the parameters inside of quotation marks; use `-D "key=value"` instead.
For example, the argument `-D sonar.projectKey=` should be passed as `-D "sonar.projectKey="`