sonar-scanner

Scan a project with configuration file in your project's root directory named sonar-project.properties

$ sonar-scanner

$ sonar-scanner [[-D|--define]] [project.settings=myproject.properties]

$ sonar-scanner [[-X|--debug]]

$ sonar-scanner [[-h|--help]]

sonar-scanner [options]

Common usage:
sonar-scanner [-Dproperty=value ...]
sonar-scanner [--debug | -X]
sonar-scanner [--help | -h]
sonar-scanner [--version | -v]

-D<property>=<value>
    Passes a SonarQube analysis property to the scanner. This is the primary way to configure the analysis, overriding values specified in a sonar-project.properties file. Examples include sonar.projectKey, sonar.sources, sonar.host.url, and sonar.token.

-X, --debug
    Enables debug-level logging. This provides verbose output about the scanner's operations and interactions with the SonarQube server, which is extremely useful for troubleshooting analysis issues.

-h, --help
    Displays the help message, listing available command-line options and basic usage information for the SonarQube Scanner.

-v, --version
    Prints the version of the SonarQube Scanner being used. This information can be helpful for compatibility checks, environment verification, and support requests.

The sonar-scanner command is the universal command-line client used to analyze source code and send the analysis results to a SonarQube server. It is typically run from the root directory of a software project that needs to be analyzed. For a successful analysis, it requires a running SonarQube instance and either a sonar-project.properties file in the project's root or all necessary configuration properties passed directly as command-line arguments.

The scanner performs static code analysis, collects various metrics, identifies code smells, bugs, and vulnerabilities, and then pushes this aggregated data to the SonarQube server for detailed reporting, visualization, and management. It is a crucial component in continuous inspection workflows, enabling seamless integration with CI/CD pipelines to maintain and improve code quality and security standards.

• Requires a Java Runtime Environment (JRE) version 11 or higher to execute.
• Must be executed from the root directory of the project that is to be analyzed.
• Network connectivity to the SonarQube server is essential for analysis results to be pushed and processed.
• Authentication (typically via a sonar.token property) is often required for production SonarQube instances.
• Project configuration, either through a sonar-project.properties file or direct command-line -D properties, is mandatory.

Most configuration for sonar-scanner is managed through SonarQube analysis properties. These properties can be defined in a sonar-project.properties file located within your project's root directory or supplied directly on the command line using the -D<property>=<value> syntax.

Common properties include sonar.projectKey (unique project identifier), sonar.projectName, sonar.sources (directories to analyze), sonar.host.url (SonarQube server address), and sonar.token (authentication token). It's important to note that properties provided on the command line always take precedence over those specified in the sonar-project.properties file.

The sonar-scanner command evolved from earlier iterations known as SonarQube Runner and before that, Sonar Runner. It was officially renamed to sonar-scanner to more accurately reflect its primary function as a dedicated client for launching code analyses that integrate with the SonarQube platform. Its ongoing development focuses on providing a universal, standalone client for diverse project types, facilitating seamless integration with various build systems and CI/CD pipelines. It continues to be actively maintained and enhanced by SonarSource, the creators of SonarQube.

java(1), mvn(1), gradle(1), curl(1)