Start Free
Latest | Analyzing source code | SonarQube analysis overview

SonarQube analysis overview

On this page

With SonarQube, you can analyze your project’s main branch. Starting in the Developer Edition, you can analyze multiple branches and pull requests.

Code analysis with the SonarScanner

The SonarScanner performs the source code analysis. This stand-alone program runs on the CI/CD host and sends the analysis results to the SonarQube server, which computes them, calculates the quality gate, and generates reports. 

To perform the analysis, the SonarScanner uses the language analyzers that it downloads from the SonarQube server at installation.

The Sonar Solution offers SonarScanners that integrate with the following build systems: Gradle, Maven, .NET, NPM, and Python. For other project types, the SonarScanner CLI which requires more manual configuration is used.

Analysis process

Essentially, the main steps of the analysis process are:

  1. Your build or CI pipeline starts the SonarScanner. 
  2. The SonarScanner scans the local repository and determines the files to be analyzed according to the configured analysis scope. 
  3. The scanner sends an analysis request to the respective language analyzer which retrieves the files to be analyzed from the file system and analyzes them according to the configured quality profile
  4. The analyzer sends the analysis results (quality measures and issues) to the scanner which forwards them to the SonarQube Server in the form of a report. 
  5. The SonarQube Server computes the analysis results asynchronously to perform the following:
    • It identifies the new issues according to the configured New Code definition and raises them in both the new code and the overall code (It uploads the code as part of the analysis and shows users the code that it raised issues on. Unanalyzed changes in the code are not visible.).
    • It computes the quality gate.
    • It generates reports.

Integration into your CI pipeline

By integrating the SonarQube analysis into your CI pipeline, you can use the following analysis features for your projects: main branch analysis, and, starting in Developer Edition, pull request analysis and multiple branch analysis.

The relevant CI pipeline steps with SonarQube integration are:

  1. A developer pushes changes on a branch to the remote repository.
  2. A CI pipeline is triggered for the specific branch. For this purpose, webhooks may be used when events occur in the Source Control Management (SCM) system or the repository may be monitored by a CI/CD tool like Jenkins.
  3. The pipeline clones the remote repository and checks out the relevant branch to the local repository on the CI/CD host (The code and SCM metadata are copied.).
  4. In the case of a compiled programming language, the pipeline builds the code.
  5. The pipeline executes the appropriate Sonar Scanner to analyze the code.
  6. The scanner sends the analysis results to the SonarQube Server which computes them.
  7. The Server sends the Quality Gate computation result to the CI pipeline (This step is optional.).
  8. The pipeline continues (if the Quality Gate succeeds) or stops (otherwise).

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License