Install the server
This section describes a single-node SonarQube instance. For details on clustered setup, see Install the server as a cluster.
A SonarQube instance comprises three components:
- The SonarQube server running the following processes:
- A web server that serves the SonarQube user interface.
- A search server based on Elasticsearch.
- The compute engine in charge of processing code analysis reports and saving them in the SonarQube database.
- The database to store the following:
- Metrics and issues for code quality and security generated during code scans.
- The SonarQube instance configuration.
- One or more scanners running on your build or continuous integration servers to analyze projects.
For optimal performance, the SonarQube server and database should be installed on separate hosts, and the server host should be dedicated. The server and database hosts should be located on the same network.
All hosts must be time-synchronized.
Several external database engines are supported. Be sure to follow the requirements listed for your database. They are real requirements not recommendations.
Create an empty schema and a
sonarqube user. Grant this
sonarqube user permissions to
delete objects for this schema.
Microsoft SQL Server
Collation MUST be case-sensitive (CS) and accent-sensitive (AS).
READ_COMMITED_SNAPSHOT MUST be set on the SonarQube database.
MS SQL database's shared lock strategy may impact SonarQube runtime. Making sure that
is_read_committed_snapshot_on is set to
true to prevent SonarQube from facing potential deadlocks under heavy loads.
Example of query to check
Example of query to update
If your Microsoft SQL Server doesn't support encryption, you must add
encrypt=false to the JDBC URL connection string.
If your Microsoft SQL Server requires encryption but you don't want SonarQube to validate the certificate, you must add
trustServerCertificate=true to the JDBC URL connection string.
To use integrated security:
- Download the Microsoft SQL JDBC Auth 11.2.2 package and copy
mssql-jdbc_auth-11.2.2.x64.dllto any folder in the path of the SonarQube host.
- If you're running SonarQube as a Windows service, make sure the Windows account under which the service is running has permission to connect your SQL server.
- Ensure that
sonar.jdbc.passwordproperties are commented out or SonarQube will use SQL authentication.
To use SQL authentication, use the following connection string. Also, ensure that
sonar.jdbc.password are set appropriately:
If there are two SonarQube schemas on the same Oracle instance, especially if they are for two different versions, SonarQube gets confused and picks the first it finds. To avoid this issue:
- Either privileges associated to the SonarQube Oracle user should be decreased.
- Or a trigger should be defined on the Oracle side to automatically alter the SonarQube Oracle user session when establishing a new connection:
ALTER SESSION SET current_schema="MY_SONARQUBE_SCHEMA".
Oracle JDBC driver versions 184.108.40.206 and 220.127.116.11 have major bugs, and are not recommended for use with SonarQube (see more details).
If you want to use a custom schema and not the default "public" one, the PostgreSQL
search_path property must be set:
SonarQube cannot be run as
root on Unix-based systems, so create a dedicated user account for SonarQube if necessary.
<SONARQUBE_HOME> (below) refers to the path to the directory where the SonarQube distribution has been unzipped.
<SONARQUBE_HOME>/conf/sonar.properties to configure the database settings. Templates are available for every supported database. Just uncomment and configure the template you need and comment out the lines dedicated to H2:
Drivers for the supported databases (except Oracle) are already provided. Do not replace the provided drivers; they are the only ones supported.
For Oracle, copy the JDBC driver into
By default, Elasticsearch data is stored in
<SONARQUBE_HOME>/data, but this is not recommended for production instances. Instead, you should store this data elsewhere, ideally in a dedicated volume with fast I/O. Beyond maintaining acceptable performance, doing so will also ease the upgrade of SonarQube.
<SONARQUBE_HOME>/conf/sonar.properties to configure the following settings:
The user used to launch SonarQube must have read and write access to those directories.
The default port is
9000 and the context path is
/. These values can be changed in
Execute the following script to start the server:
- On Linux:
- On macOS:
- On Windows:
You can now browse SonarQube at http://localhost:9000 (the default system administrator credentials are
By default, the scripts will use the Java executable available in the PATH. If there are multiple versions of Java installed on your server, you may need to explicitly define which version of Java is used.
It is possible to overwrite the default Java executable by setting the environmental variable
setx SONAR_JAVA_PATH "C:\Program Files\java_home\bin\java.exe"
- Running SonarQube as a service on Windows or Linux
- Running SonarQube behind a proxy
- Monitoring and adjusting Java process memory
SonarQube docker images support running both on the
amd64 architecture and on
arm64-based Apple Silicon.
We recommend using Docker Engine version 20.10 and above.
Follow these steps for your first installation:
- Creating the following volumes helps prevent the loss of information when updating to a new version or upgrading to a higher edition:
sonarqube_data: contains data files, such as Elasticsearch indexes
sonarqube_logs: contains SonarQube logs about access, web process, CE process, and Elasticsearch
sonarqube_extensions: will contain any plugins you install and the Oracle JDBC driver if necessary.
Create the volumes with the following commands:
Drivers for supported databases (except Oracle) are already provided. If you're using an Oracle database, you need to add the JDBC driver to the
sonar_extensions volume. To do this:
a. Start the SonarQube container with the embedded H2 database:
b. Exit once SonarQube has started properly.
c. Copy the Oracle JDBC driver into
3. Run the image with your database properties defined using the
-e environment variable flag:
For docker-based setups, environment variables supersede all parameters that were provided with properties. See Docker environment variables.
There is more information about installing and updating SonarQube plugins inside your Docker volume found on the Install a plugin page.
- Unless you intend to delete the database and start new when running your image , be careful not to use
docker-compose downand, be careful when running commands like
docker system pruneor
docker volume prune; regardless if you use an
external: trueparameter, your database volumes will not persist beyond the initial startup and shutdown of SonarQube.
If you're using Docker Compose, use the following example as a reference when configuring your
.yml file. Click the heading below to expand the
The example below will use the latest version of the SonarQube Docker image. If want to use the LTS version of SonarQube, you need to update the example with the
sonarqube:lts-community image tag.
Docker Compose .yml file example
Double-check that settings for proxy are correctly set in
<SONARQUBE_HOME>/conf/sonar.properties. Note that if your proxy username contains a backslash, then it should be escaped; a username
domain\user in the file should look like this example:
For some proxies, the exception
java.net.ProtocolException: Server redirected too many times might mean an incorrect username or password has been configured.
SonarQube starts an Elasticsearch process, and the same account that is running SonarQube itself will be used for the Elasticsearch process. Since Elasticsearch cannot be run as root, that means SonarQube can't be either. You must choose some other, non-root account with which to run SonarQube, preferably an account dedicated to the purpose.
When reporting Quality Gate status to DevOps platforms, SonarQube uses a DNS cache time to live policy of 30 seconds. If necessary, you can change this setting in your JVM:
Please be aware that low values increases the risk of DNS spoofing attacks.
When running in an environment where the DevOps platform or other related tooling is secured by self-signed certificates, the CA needs to be added to the java truststore of SonarQube.
In a zip installation, the systems truststore can be found in
<JAVA_HOME>/lib/security/cacerts. In order to add a new certificate to the truststore you can use the following command as an example:
In our official Docker images you can find the systems truststore in
<JAVA_HOME>/lib/security/cacerts. In order to add new certificates here as well you can:
- Bind mount an existing truststore containing your certificates to
- Import your CA certificate the same way as in the zip installation but inside the container.
If you deploy SonarQube on Kubernetes using the official Helm Chart, you can create a new secret containing your required certificates and reference this via: