# Using the scanner

You can start the scanner and thus, integrate it into your CI or build pipeline, in the following ways:

* From the command line.\
  A global mode installation of the scanner is required.
* From the command line with npx.\
  No scanner installation is required.
* By adding the analysis step to your build files.\
  The scanner must be added to the project’s devDependencies.

{% hint style="warning" %}
We do not recommend running an antivirus scanner on the machine where a SonarQube Server analysis runs, it could result in unpredictable behavior.
{% endhint %}

You can pass analysis parameters in the command line and in the analysis step coded in JS. In addition, the SonarScanner for NPM gets analysis parameters from different other sources: see [configuring](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/npm/configuring "mention"). To get started, you must configure at a minimum the SonarQube Server URL and the token used to connect to the server.

{% hint style="info" %}
The SonarScanners run on code that is checked out. See [verifying-code-checkout-step](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/scanner-environment/verifying-code-checkout-step "mention").
{% endhint %}

## Starting the scanner from the command line <a href="#command-line" id="command-line"></a>

1. Make sure the scanner is installed in global mode: see [installing](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/npm/installing "mention").
2. Use the `sonar` command to start the analysis.\
   To pass analysis parameters in the command line, use the standard `-Dsonar.xxx=yyy` syntax.\
   Example:

```css-79elbk
sonar -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
```

Passing a project key is optional: the scanner for NPM uses the `name` field of the `package.json` file as project key. However, you can override the project key by passing the `-Dsonar.projectKey` to the command line.

## Starting the scanner from the command line with npx <a href="#npx" id="npx"></a>

* Use the `npx @sonar/scan` command to start the analysis.\
  To pass analysis parameters in the command line, use the standard `-Dsonar.xxx=yyy` syntax.\
  Example:

```css-79elbk
npx @sonar/scan -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
```

## Adding the analysis step to your build files <a href="#add-to-build-files" id="add-to-build-files"></a>

1. Make sure the scanner is installed in your project’s devDependencies: see [installing](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/npm/installing "mention").
2. Code the analysis step in JS in your build files, as shown in the example below.

```css-79elbk
const scanner = require('@sonar/scan');
scanner(
  {
    serverUrl: 'https://sonarqube.mycompany.com',
    token: '019d1e2e04eefdcd0caee1468f39a45e69d33d3f', 
    options: {
      'sonar.projectName': 'My App',
      'sonar.projectDescription': 'Description for "My App" project...',
      'sonar.sources': 'src',
      'sonar.tests': 'test', 
    },
  },
  () => process.exit(),
);
```

Where the syntax is as follows:

```css-79elbk
scanner ( parameters, [callback] )
```

* parameters (format: Map)
  * serverUrl (format: String; optional): The URL of the SonarQube Server instance. Defaults to the value of the SonarQube Cloud URL (`sonar.scanner.cloudUrl` property).
  * token (format: String; optional): The authentication token used to connect to your instance of SonarQube Server or SonarQube Cloud. Empty by default. See [managing-tokens](https://docs.sonarsource.com/sonarqube-server/user-guide/managing-tokens "mention") for more information on tokens.
  * options (format: Map; optional): Used to pass extra parameters for the analysis. See [configuring](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/npm/configuring "mention") for more details.
* callback (format: Function; optional): Callback (the execution of the analysis is asynchronous).

## Starting the scanner from the command line with pnpx <a href="#pnpx" id="pnpx"></a>

`@sonar/scan` has multiple binaries, so pnpx will ask which binary to provide. The approach recommended by pnpm is to use the following syntax:

```css-79elbk
pnpm --package=@sonar/scan dlx sonar -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e
```