10.2 | Analyzing source code | Scanners | SonarScanner

On this page

SonarScanner

The SonarScanner is the scanner to use when there is no specific scanner for your build system.

Configuring your project

Create a configuration file in your project's root directory called sonar-project.properties

# must be unique in a given SonarQube instance
sonar.projectKey=my:project

# --- optional properties ---

# defaults to project key
#sonar.projectName=My project
# defaults to 'not provided'
#sonar.projectVersion=1.0
 
# Path is relative to the sonar-project.properties file. Defaults to .
#sonar.sources=.
 
# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8

Running SonarScanner from the zip file

To run SonarScanner from the zip file, follow these steps:

  1. Expand the downloaded file into the directory of your choice. We'll refer to it as <INSTALL_DIRECTORY> in the next steps.
  2. Update the global settings to point to your SonarQube server by editing $install_directory/conf/sonar-scanner.properties:

    #----- Default SonarQube server
    #sonar.host.url=
    http://localhost:9000
  3. Add the <INSTALL_DIRECTORY>/bin directory to your path.
  4. Verify your installation by opening a new shell and executing the command sonar-scanner -h, or sonar-scanner.bat -h on Windows. You should get output like this:

    usage: sonar-scanner [options]

    Options:
    -D,--define <arg>     Define property
    -h,--help             Display help information
    -v,--version          Display version information
    -X,--debug            Produce execution debug output


    If you need more debug information, you can add one of the following to your command line: -X--verbose, or -Dsonar.verbose=true.
  5. Run the following command from the project base directory to launch analysis and pass your authentication token: sonar-scanner -Dsonar.token=myAuthenticationToken

    Alternatively, instead of passing the token in your command line, you can create the SONAR_TOKEN environment variable and set the token as its value before you launch the analysis.

Running SonarScanner from the Docker image

To scan using the SonarScanner Docker image, use the following command:

docker run \
    --rm \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
    -e SONAR_SCANNER_OPTS="-Dsonar.projectKey=${YOUR_PROJECT_KEY}" \
    -e SONAR_TOKEN="myAuthenticationToken" \
    -v "${YOUR_REPO}:/usr/src" \
    sonarsource/sonar-scanner-cli

Scanning C, C++, or Objective-C projects

Scanning projects that contain C, C++, or Objective-C code requires some additional analysis steps. You can find full details on the C/C++/Objective-C language page.

Sample projects

To help you get started, simple project samples are available for most languages on GitHub. They can be browsed or downloaded. You'll find them filed under sonarqube-scanner/src.

Alternatives to sonar-project.properties

If a sonar-project.properties file cannot be created in the root directory of the project, there are several alternatives:

  • The properties can be specified directly through the command line. Example:
    sonar-scanner -Dsonar.projectKey=myproject -Dsonar.sources=src1
  • The property project.settings can be used to specify the path to the project configuration file (this option is incompatible with the sonar.projectBaseDir property). Example:
    sonar-scanner -Dproject.settings=../myproject.properties
  • The root folder of the project to analyze can be set through the sonar.projectBaseDir property since SonarScanner 2.4. This folder must contain a sonar-project.properties file if sonar.projectKey is not specified on the command line. Additional analysis parameters can be defined in this project configuration file or through command-line parameters.

Alternate analysis directory

If the files to be analyzed are not in the directory where the analysis starts from, use the sonar.projectBaseDir property to move analysis to a different directory. E.g. analysis begins from jenkins/jobs/myjob/workspace but the files to be analyzed are in ftpdrop/cobol/project1. This is configured in sonar-project.properties as follows:

sonar.projectBaseDir=/home/ftpdrop/cobol/project1
sonar.sources=src
sonar.cobol.copy.directories=/copy

Advanced Docker configuration

The following sections offer advanced configuration options when running the SonarScanner with Docker. Click the headings to expand the instructions.

Running as a non-root user

You can run the Docker image as a non-root user using the --user option. For example, to run as the current user:

docker run \
    --rm \
    --user="$(id -u):$(id -g)" \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}"  \
    -v "${YOUR_REPO}:/usr/src" \
    sonarsource/sonar-scanner-cli
Caching scanner files

To prevent SonarScanner from re-downloading language analyzers each time you run a scan, you can mount a directory where the scanner stores the downloads so that the downloads are reused between scanner runs. On some CI systems, you also need to add this directory to your CI cache configuration.

The following command will store and use cache between runs:

docker run \
    --rm \
    -v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
    -v ${YOUR_REPO}:/usr/src \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
    sonarsource/sonar-scanner-cli

You can also change the location of where the scanner puts the downloads with the SONAR_USER_HOME environment variable.

Using self-signed certificates

If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, you can use a volume under /tmp/cacerts to add it to the containers java trust store:

docker pull sonarsource/sonar-scanner-cli
docker run \
    --rm \
    -v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts \
    -v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
    -v ${YOUR_REPO}:/usr/src \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
    sonarsource/sonar-scanner-cli

Alternatively, you can create your own container that includes the modified cacerts file. Create a Dockerfile with the following contents:

FROM sonarsource/sonar-scanner-cli
COPY cacerts /usr/lib/jvm/default-jvm/jre/lib/security/cacerts

Then, assuming both the cacerts and Dockerfile are in the current directory, create the new image with a command such as:

docker build --tag our-custom/sonar-scanner-cli .

Troubleshooting

Java heap space error or java.lang.OutOfMemoryError

Increase the memory via the SONAR_SCANNER_OPTS environment variable when running the scanner from a zip file:

export SONAR_SCANNER_OPTS="-Xmx512m"

In Windows environments, avoid the double quotes, since they get misinterpreted, and combine the two parameters into a single one.

set SONAR_SCANNER_OPTS=-Xmx512m

Unsupported major.minor version
Upgrade the version of Java being used for analysis or use one of the native package (that embed its own Java runtime).

Property missing: 'sonar.cs.analyzer.projectOutPaths'. No protobuf files will be loaded for this project.
Scanner CLI is not able to analyze .NET projects. Please, use the SonarScanner for .NET. If you are running the SonarScanner for .NET, ensure that you are not hitting a known limitation.

© 2008-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.

Creative Commons License