# Using the scanner

You can start the scanner and thus, integrate it into your CI or build pipeline, in the following ways:

* From the command line.\
  A global mode installation of the scanner is required.
* From the command line with npx.\
  No scanner installation is required.
* By adding the analysis step to your build files.\
  The scanner must be added to the project’s devDependencies.

{% hint style="warning" %}
We do not recommend running an antivirus scanner on the machine where a SonarQube Server analysis runs, it could result in unpredictable behavior.
{% endhint %}

You can pass analysis parameters in the command line and in the analysis step coded in JS. In addition, the SonarScanner for NPM gets analysis parameters from different other sources: see [configuring](https://docs.sonarsource.com/sonarqube-server/2026.1/analyzing-source-code/scanners/npm/configuring "mention"). To get started, you must configure at a minimum the SonarQube Server URL and the token used to connect to the server.

{% hint style="info" %}
The SonarScanners run on code that is checked out. See [verifying-code-checkout-step](https://docs.sonarsource.com/sonarqube-server/2026.1/analyzing-source-code/scanners/scanner-environment/verifying-code-checkout-step "mention").
{% endhint %}

## Starting the scanner from the command line <a href="#command-line" id="command-line"></a>

1. Make sure the scanner is installed in global mode: see [installing](https://docs.sonarsource.com/sonarqube-server/2026.1/analyzing-source-code/scanners/npm/installing "mention").
2. Use the `sonar` command to start the analysis.\
   To pass analysis parameters in the command line, use the standard `-Dsonar.xxx=yyy` syntax.\
   Example:

```css-79elbk
sonar -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
```

Passing a project key is optional: the scanner for NPM uses the `name` field of the `package.json` file as project key. However, you can override the project key by passing the `-Dsonar.projectKey` to the command line.

## Starting the scanner from the command line with npx <a href="#npx" id="npx"></a>

* Use the `npx @sonar/scan` command to start the analysis.\
  To pass analysis parameters in the command line, use the standard `-Dsonar.xxx=yyy` syntax.\
  Example:

```css-79elbk
npx @sonar/scan -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
```

## Adding the analysis step to your build files <a href="#add-to-build-files" id="add-to-build-files"></a>

1. Make sure the scanner is installed in your project’s devDependencies: see [installing](https://docs.sonarsource.com/sonarqube-server/2026.1/analyzing-source-code/scanners/npm/installing "mention").
2. Code the analysis step in JS in your build files, as shown in the example below.

```css-79elbk
const scanner = require('@sonar/scan');
scanner(
  {
    serverUrl: 'https://sonarqube.mycompany.com',
    token: '019d1e2e04eefdcd0caee1468f39a45e69d33d3f', 
    options: {
      'sonar.projectName': 'My App',
      'sonar.projectDescription': 'Description for "My App" project...',
      'sonar.sources': 'src',
      'sonar.tests': 'test', 
    },
  },
  () => process.exit(),
);
```

Where the syntax is as follows:

```css-79elbk
scanner ( parameters, [callback] )
```

* parameters (format: Map)
  * serverUrl (format: String; optional): The URL of the SonarQube Server instance. Defaults to the value of the SonarQube Cloud URL (`sonar.scanner.cloudUrl` property).
  * token (format: String; optional): The authentication token used to connect to your instance of SonarQube Server or SonarQube Cloud. Empty by default. See [managing-tokens](https://docs.sonarsource.com/sonarqube-server/2026.1/user-guide/managing-tokens "mention") for more information on tokens.
  * options (format: Map; optional): Used to pass extra parameters for the analysis. See [configuring](https://docs.sonarsource.com/sonarqube-server/2026.1/analyzing-source-code/scanners/npm/configuring "mention") for more details.
* callback (format: Function; optional): Callback (the execution of the analysis is asynchronous).

## Starting the scanner from the command line with pnpx <a href="#pnpx" id="pnpx"></a>

`@sonar/scan` has multiple binaries, so pnpx will ask which binary to provide. The approach recommended by pnpm is to use the following syntax:

```css-79elbk
pnpm --package=@sonar/scan dlx sonar -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/2026.1/analyzing-source-code/scanners/npm/using.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.