Start Free
10.7 | Analyzing source code | Scanners | Scanner environment | Checked-out code

Verifying the code checkout step of your build pipeline

The SonarScanners run on code that is checked out from the repository. During the checkout of a working copy (clone) of the code from the project repository, we recommend using the full depth. Indeed, the so-retrieved SCM metadata enables various features such as:

  • New Code detection:
    • On pull requests, not just the last commit but all the commits that are not on the target branch are considered. This requires a history long enough to find the common commit. 
    • On long-living branches, the New Code definition can be set in different ways but a longer history is always better.
  • Blame information display and automatic issue assignment based on the blame information.
  • Issue backdating

In addition, we recommend cloning all the branches of the repository to avoid reference errors during the checkout. 

With Git, this means using fetch-depth: 0. This disables shallow clones and fetches all branches.  


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License