10.4 | Analyzing source code | Scanner environment | Installing the server’s self-signed certificate

On this page

Installing the server’s self-signed certificate into the scanner's truststore

If your SonarQube server is configured with HTTPS and a self-signed certificate (or more generally, an SSL certificate that is not signed by an authority trusted by Java) then you must install the self-signed certificate into the Java truststore of your CI/CD host machine otherwise the scanner will not be able to connect to the server and the analysis will fail.

General procedure

JVM comes with a default truststore called cacerts. It resides in \jre\lib\security\cacerts

To install the certificate into the truststore, use the JVM tool keytool. The instructions depend on your operating system and you will find many resources online, such as this one for Linux.

If running the scanner with Docker

If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, you can use a volume under /tmp/cacerts to add it to the containers java trust store:

docker pull sonarsource/sonar-scanner-cli
docker run \
    --rm \
    -v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts \
    -v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
    -v ${YOUR_REPO}:/usr/src \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \

Alternatively, you can create your own container that includes the modified cacerts file. Create a Dockerfile with the following contents:

FROM sonarsource/sonar-scanner-cli
COPY cacerts /usr/lib/jvm/default-jvm/jre/lib/security/cacerts

Then, assuming both the cacerts and Dockerfile are in the current directory, create the new image with a command such as:

docker build --tag our-custom/sonar-scanner-cli .

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License