Using the scanner

To start the SonarScanner for NPM, you can either add the analysis to your build files or use the scanner start command line (with or without npx).

You can start the scanner and thus, integrate it into your CI or build pipeline, in the following ways:

  • From the command line. A global mode installation of the scanner is required.

  • From the command line with npx. No scanner installation is required.

  • By adding the analysis step to your build files. The scanner must be added to the project’s devDependencies.

We do not recommend running an antivirus scanner on the machine where a SonarQube Server analysis runs, it could result in unpredictable behavior.

You can pass analysis parameters in the command line and in the analysis step coded in JS. In addition, the SonarScanner for NPM gets analysis parameters from different other sources: see Configuring the scanner. To get started, you must configure at a minimum the SonarQube Server URL and the token used to connect to the server.

The SonarScanners run on code that is checked out. See Checked-out code.

Starting the scanner from the command line

  1. Make sure the scanner is installed in global mode: see Installing the scanner.

  2. Use the sonar command to start the analysis. To pass analysis parameters in the command line, use the standard -Dsonar.xxx=yyy syntax. Example:

sonar -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e

Passing a project key is optional: the scanner for NPM uses the name field of the package.json file as project key. However, you can override the project key by passing the -Dsonar.projectKey to the command line.

Starting the scanner from the command line with npx

  • Use the npx @sonar/scan command to start the analysis. To pass analysis parameters in the command line, use the standard -Dsonar.xxx=yyy syntax. Example:

npx @sonar/scan -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e

Adding the analysis step to your build files

  1. Make sure the scanner is installed in your project’s devDependencies: see Installing the scanner.

  2. Code the analysis step in JS in your build files, as shown in the example below.

const scanner = require('@sonar/scan');
scanner(
  {
    serverUrl: 'https://sonarqube.mycompany.com',
    token: '019d1e2e04eefdcd0caee1468f39a45e69d33d3f', 
    options: {
      'sonar.projectName': 'My App',
      'sonar.projectDescription': 'Description for "My App" project...',
      'sonar.sources': 'src',
      'sonar.tests': 'test', 
    },
  },
  () => process.exit(),
);

Where the syntax is as follows:

scanner ( parameters, [callback] )

  • parameters (format: Map)

    • serverUrl (format: String; optional): The URL of the SonarQube Server instance. Defaults to the value of the SonarQube Cloud URL (sonar.scanner.cloudUrl property).

    • token (format: String; optional): The authentication token used to connect to your instance of SonarQube Server or SonarQube Cloud. Empty by default. See Managing your tokens for more information on tokens.

    • options (format: Map; optional): Used to pass extra parameters for the analysis. See Configuring the scanner for more details.

  • callback (format: Function; optional): Callback (the execution of the analysis is asynchronous).

Starting the scanner from the command line with pnpx

@sonar/scan has multiple binaries, so pnpx will ask which binary to provide. The approach recommended by pnpm is to use the following syntax:

pnpm --package=@sonar/scan dlx sonar -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
PreviousInstalling the scannerNextConfiguring the scanner

Last updated

Was this helpful?