# External analyzer reports If your analyzer isn’t on this page, see the [generic-issue-import-format](https://docs.sonarsource.com/sonarqube-server/2025.1/analyzing-source-code/importing-external-issues/generic-issue-import-format "mention") for a generic way to import external issues. You can also import [importing-issues-from-sarif-reports](https://docs.sonarsource.com/sonarqube-server/2025.1/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports "mention"). SonarQube Server doesn’t run your external analyzers or generate reports. It only imports pre-generated reports. Below you’ll find language- and tool-specific analysis parameters for importing reports generated by external analyzers. We recommend checking out the [guides](https://community.sonarsource.com/c/clean-code/guides/22) category of the [Sonar community forum](https://community.sonarsource.com/), where you might find instructions on generating these reports. ## Importing reports from third-party tools ### List of properties Unless otherwise specified, the following properties accept both absolute paths and paths relative to the project root. | | | | | --------------------- | ----------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Language** | **Property** | **Remarks** | | Ansible | `sonar.ansible.ansible-lint.reportPaths` | Comma-delimited list of paths to [ansible-lint](https://github.com/ansible/ansible-lint) reports in SARIF format (use `--sarif-file` ansible-lint option). | | Apex | `sonar.apex.pmd.reportPaths` |

Comma-delimited list of paths to PMD Apex. Make sure the path in the PMD report matches the path used by analysis.

Note: The format of PMD reports generated by sfdx-scanner does not seem to perfectly match the format used by PMD. An alternative is to export to SARIF format instead of PMD.

| | Cloudformation | `sonar.cloudformation.cfn-lint.reportPaths` | Comma-delimited list of paths to [AWS CloudFormation Linter](https://www.google.com/url?q=https://github.com/aws-cloudformation/cfn-lint\&source=gmail-imap\&ust=1681140775000000\&usg=AOvVaw3MREBmob9v1ZGdvw1_POWU) reports in JSON format | | C/C++/Objective-C | `sonar.cfamily.valgrind.reportsPaths` | Comma-delimited list of paths to [Valgrind Memcheck](https://valgrind.org/) and Helgrind XML reports | | CSS | `sonar.css.stylelint.reportPaths` | Comma-delimited list of paths to [StyleLint.io](https://stylelint.io/) reports | | Docker | `sonar.docker.hadolint.reportPaths` | Comma-delimited list of paths to [Hadolint](https://www.google.com/url?q=https://github.com/hadolint/hadolint\&source=gmail-imap\&ust=1681140775000000\&usg=AOvVaw1_iyCCO7v-4-xeurWS0sRk) reports in JSON and \`sonarqube\` format | | Go | `sonar.go.govet.reportPaths` | Comma-delimited list of paths to [GoVet](https://golang.org/cmd/vet/) reports | | Go | `sonar.go.golint.reportPaths` | Comma-delimited list of paths to [GoLint](https://github.com/golang/lint) reports | | Go | `sonar.go.gometalinter.reportPaths` | Comma-delimited list of paths to [GoMetaLinter](https://github.com/alecthomas/gometalinter) reports | | Go | `sonar.go.golangci-lint.reportPaths` |

Comma-delimited list of paths to golangci-lint reports in checkstyle format (use --out-format checkstyle golangci-lint option).

Depending on how many issues you’re importing, you might want to disable the max-issues-per-linter option in your golangci config file.

| | Go | `sonar.externalIssuesReportPaths` | Comma-delimited list of paths to [gosec](https://github.com/securego/gosec) reports in SonarQube Server format (use `-fmt=sonarqube` gosec option). Note: this property is the one from [generic-issue-import-format](https://docs.sonarsource.com/sonarqube-server/2025.1/analyzing-source-code/importing-external-issues/generic-issue-import-format "mention") | | Java | `sonar.java.spotbugs.reportPaths` |

SpotBugs, FindSecBugs, or FindBugs report in XML format that specifies:

• sourcepath, a colon separated list of source folders that is essential for SonarQube to map the files.

• xml:withMessages, that maps to the generated report file.

Check out the spotbugs-example project on Github that contains two xml examples.

| | Java | `sonar.java.pmd.reportPaths` | Comma-delimited list of paths to reports from [PMD](http://maven.apache.org/plugins/maven-pmd-plugin/usage.html) | | Java | `sonar.java.checkstyle.reportPaths` | Comma-delimited list of paths to reports from [Checkstyle](http://maven.apache.org/plugins/maven-checkstyle-plugin/checkstyle-mojo) | | JavaScript/Typescript |

• sonar.eslint.reportPaths

• sonar.typescript.tslint.reportPaths

|

• Comma-delimited list of paths to JSON ESLint reports (use -f json ESLint option). Example: eslint ./ -f json > eslint-report.jsonsonar -Dsonar.eslint.reportPaths=eslint-report.json

• eslint ./ -f json > eslint-report.json

• sonar -Dsonar.eslint.reportPaths=eslint-report.json

• Comma-delimited list of paths to TSLint reports in JSON format (use -t json TSLint option)

See the ESLint section of the Javascript/Typescript/CSS page for more information.

| | Kotlin | `sonar.androidLint.reportPaths` | Comma-delimited list of paths to AndroidLint reports | | Kotlin | `sonar.kotlin.detekt.reportPaths` | Comma-delimited list of paths to [Detekt](https://github.com/arturbosch/detekt) reports | | Kotlin | `sonar.kotlin.ktlint.reportPaths` | Comma-delimited list of paths to [Ktlint](https://ktlint.github.io/) reports | | PHP | `sonar.php.psalm.reportPaths` | Comma-delimited list of paths to [Psalm](https://github.com/vimeo/psalm) reports. Reports should be generated in the [generic-issue-import-format](https://docs.sonarsource.com/sonarqube-server/2025.1/analyzing-source-code/importing-external-issues/generic-issue-import-format "mention") (run Psalm with the option `--output-format sonarqube`). | | PHP | `sonar.php.phpstan.reportPaths` | Comma-delimited list of paths to [PHPStan](https://phpstan.org/) reports. Reports should be generated in the [PHPStan JSON Output Format](https://phpstan.org/user-guide/output-format) (use the PHPStan `analyse` command with the option `--error-format=json`). | | Python | `sonar.python.pylint.reportPaths` | Comma-delimited list of paths to [Pylint](http://www.pylint.org/) reports (use `--output-format=parseable`[Pylint option](https://docs.pylint.org/en/1.6.0/output.html)) | | Python | `sonar.python.bandit.reportPaths` | Comma-delimited list of paths to [Bandit](https://github.com/PyCQA/bandit/blob/master/README.rst) reports | | Python | `sonar.python.flake8.reportPaths` | Comma-delimited list of paths to [Flake8](https://flake8.pycqa.org/en/latest/) reports | | Python | `sonar.python.mypy.reportPaths` | Comma-delimited list of paths to [Mypy](https://mypy.readthedocs.io/) reports | | Python | `sonar.python.ruff.reportPaths` | Comma-delimited list of paths to [Ruff](https://beta.ruff.rs/docs/) reports. | | Ruby | `sonar.ruby.rubocop.reportPaths` | Comma-delimited list of paths to [Rubocop](https://github.com/rubocop-hq/rubocop) reports | | Scala | `sonar.scala.scalastyle.reportPaths` | Comma-delimited list of paths to [Scalastyle](http://www.scalastyle.org/) reports | | Scala | `sonar.scala.scapegoat.reportPaths` | Comma-delimited list of paths to [Scapegoat](https://github.com/sksamuel/scapegoat) reports in the **Scalastyle format** | | Swift | `sonar.swift.swiftLint.reportPaths` | Comma-delimited list of paths to [SwiftLint](https://github.com/realm/SwiftLint) reports in JSON format. Use the `--reporter json` option | | Terraform | `sonar.terraform.tflint.reportPaths` | Comma-delimited list of paths to [TFLint](https://www.google.com/url?q=https://github.com/terraform-linters/tflint\&source=gmail-imap\&ust=1681140775000000\&usg=AOvVaw09BuBZwta0XAof1JGQR16u) reports in JSON format | ## External .NET issues Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube Server therefore, no properties exist to enable that behavior. Instead, properties are available to adjust the import and to *stop* importing those issues. | | | | | ------------ | ---------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Language** | **Property** | **Remarks** | | C# | `sonar.cs.roslyn.ignoreIssues` | Set to `true` to disable import of external issues. Defaults to `false`. | | C# | `sonar.cs.roslyn.bugCategories``sonar.cs.roslyn.vulnerabilityCategories``sonar.cs.roslyn.codeSmellCategories` | Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells in [standard-experience](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/analysis-functions/instance-mode/standard-experience "mention"), or Reliability, Security, or Maintainability in [mqr-mode](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/analysis-functions/instance-mode/mqr-mode "mention"). | | VB.NET | `sonar.vbnet.roslyn.ignoreIssues` | Set to `true` to disable import of external issues. Defaults to `false`. | | VB.NET | `sonar.vbnet.roslyn.bugCategories``sonar.vbnet.roslyn.vulnerabilityCategories``sonar.vbnet.roslyn.codeSmellCategories` | Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells in [standard-experience](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/analysis-functions/instance-mode/standard-experience "mention"), or Reliability, Security, or Maintainability in [mqr-mode](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/analysis-functions/instance-mode/mqr-mode "mention"). | Note that Roslyn issues with an *error* severity automatically fail the build. We don’t recommend running the Scanner for .NET’s end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis. ## External issue lifecycle The lifecycle of external issues is identical to the lifecycle of internal issues. This means that you can resolve an external issue the same way you would resolve an internal issue. For details, see [Managing issues](https://docs.sonarsource.com/sonarqube-server/2025.1/user-guide/issues). Note that managing an external issue within SonarQube Server has no impact on its state in the external tool. For example, when you mark an issue as false positive in SonarQube Server, it is not reflected in the external tool. ## Limitation External issues have an important limitation. The activation of the rules that raise these issues cannot be managed within SonarQube Server. External rules are not visible on the Rules page or reflected in any quality profile.