SonarCloud | Advanced setup | Automatic analysis

On this page

Automatic analysis

SonarCloud can automatically analyze your code simply by reading it from your repository, without the need to configure a CI-based analysis.

When you first import a project that is compatible with automatic analysis, the first analysis behaves differently from subsequent analyses. On the first analysis not only will the main branch be analyzed, but, also the most recently active pull requests, up to a maximum of five. After that, automatic analysis will trigger a new analysis on each push to the default branch and on each push to any pull request branch.

Prerequisites

Currently, automatic analysis has the following limitations:

  • It is only available for GitHub repositories.
  • Branch analysis (analysis of non-pull request branches other than the main branch) is not supported.
  • Multiple projects bound to a single repository (the monorepo strategy) are not supported.
  • Code coverage information is not supported.
  • Import of external rule engine reports is not supported.

Supported languages

Automatic analysis is available for all languages that SonarCloud supports.

However, it does not support Objective-C and there is no plan to support it.

For Java and C#, there are some known limitations. See the dedicated sections below for the details.

Activating automatic analysis

For new projects:

  • After importing a project from GitHub, SonarCloud will automatically check whether your project is eligible for automatic analysis. This should take a few seconds.
    • SonarCloud will deem a project eligible for automatic analysis only if fewer than 20% of the lines of code in the project are in a non-compatible language. 
    • For a Java project to be eligible, the amount of Java code cannot exceed 10MB.
    • SonarCloud will reject a project for automatic analysis if it contains a sonar-project.properties file (see Presence of a properties file).
  • If your project is eligible, SonarCloud will automatically trigger the first analysis. On this first analysis, the system will analyze the main branch of the project and the five most recently active pull requests. All you have to do is wait for the analysis to finish.
  • If your project is not compatible, SonarCloud will suggest other analysis methods such as using a CI tool.
  • You can force automatic analysis on an initially non-eligible project. However, doing this is not recommended as it will typically not provide useful information. To force automatic analysis, do one of the following:
    • From your project’s homepage, click the Force Automatic Analysis button.
    • From your project’s Administration > Analysis Method page, turn on Automatic Analysis.

For existing projects:

  • Go to your project’s Administration > Analysis Method page and turn on Automatic Analysis.
  • The Analysis Method page will display a compatibility check, so you are aware of our recommendations for your specific project.

Presence of a properties file

If you import a project that already contains a sonar-project.properties file, SonarCloud will deem the project ineligible for automatic analysis. You can still force automatic analysis if you choose. The reason for this limitation is that the presence of a sonar-project.properties in a newly imported project usually means that the customer is migrating from SonarQube and probably wishes to continue with the same CI-based configuration as they were using on that platform, particularly since automatic analysis does not offer all of the same features as CI-based analysis.

Analysis Method Indicator

If a project uses automatic analysis, then in the Project Overview > Information under Last analysis method the system will display Analyzed by SonarCloud:

Go to SonarCloud's Information page to see your Last analysis method.
On the SonarCloud > Information page, click on Check analysis method to get more details.

Conflict with CI-based Analysis

Automatic analysis is not intended to be used in conjunction with CI-based analysis.

If you do enable automatic analysis, you must ensure that you do not have any CI-based analyses configured. If you do then these CI-based analyses will fail and cause a failure in your build process.

Similarly, if you wish to use a CI-based analysis on a project, you must ensure that automatic analysis is disabled for that project.

This is done to prevent duplicate analyses from being sent to SonarCloud that would cause problems in your project activity reports.

Deactivating automatic analysis

Go to your project’s Administration > Analysis Method page and turn automatic analysis Off.

From the same page, you can then follow one of our tutorials for configuring SonarCloud analyses with another method.

Additional analysis configuration

You can add more configuration to your analyses by adding a .sonarcloud.properties file to your repository’s default branch. Note that this is different from the sonar-project.properties file used for CI-based analysis.

Here are the supported optional settings for the .sonarcloud.properties file:

# Path to sources
# sonar.sources=
# sonar.exclusions=
# sonar.inclusions=

# Path to tests
# sonar.tests=
# sonar.test.exclusions=
# sonar.test.inclusions=

# Source encoding
# sonar.sourceEncoding=

# Exclusions for copy-paste detection
# sonar.cpd.exclusions=

# Python version (for python projects only)
# sonar.python.version=

# C++ standard version (for C++ projects only)
# If not specified, it defaults to the latest supported standard
# sonar.cfamily.reportingCppStandardOverride=c++98|c++11|c++14|c++17|c++20

Note that some of these settings can also be configured from the SonarCloud UI. In your project’s Administration > General Settings > Analysis Scope > Files, you can define file exclusions and inclusions. If you have different options set on the UI and the .sonarcloud.properties file, SonarCloud will only take into account the one from the .sonarcloud.properties file.

Automatic analysis for Java projects

Automatic analysis provides the quickest way to get your Java project up and running on SonarCloud and see code analysis results fast. 

To be eligible for automatic analysis, your Java project must:

    • use either Maven or Gradle
    • have less than 10MB in total amount of code

Automatic analysis for Java does have some limitations:

  • XSS (Cross-Site Scripting) issues can’t be detected: to get the full power of Sonar analyzers, it’s required to switch to CI-based analysis.
  • For Gradle-based projects, there are less security issues detected: to get the full power of Sonar analyzers, it’s required to switch to CI-based analysis.
  • Rules that belong to this list are not supported because the results that they currently produce are not accurate enough (see the line with JAVA_CHECKS_NOT_WORKING_FOR_AUTOSCAN)
  • Not all properties are supported (see below).

Automatic analysis for .NET projects

SonarCloud automatic analysis now also supports .NET projects. .NET Core and .NET 5 and .NET 6 projects can be analyzed but are subject to some limitations: 

  • Projects must contain at least 80% code in languages compatible with .NET. The amount of .NET code for automatic analysis is calculated by adding the sum of *.cs and *.vb files together.
  • All security vulnerability rules are supported, except cross-site scripting which is not available yet. XSS detection is available using ci-based analysis. 
  • Projects must contain at least one XML file -  *.csproj or *.vbproj. A combination of both file types is acceptable. 
  • The csproj/vbproj files must have “Project” as the root element, and “Sdk” as the project attribute. For example, <Project Sdk="Microsoft.NET.Sdk">.
  • Projects must not contain *.shproj file extensions.

With these limitations in mind, the next step in your Java or .NET project onboarding is to set up CI-based analysis to get the most out SonarCloud analysis. You can find more information on that here. In the meantime, the capabilities of automatic analysis will continue to evolve and improve.

Automatic analysis for C and C++ projects

There are no additional requirements for C and C++ projects, apart from the standard prerequisites for automatic analysis.

  • C & C++ automatic analysis does not have any toolchain or project structural requirements.
  • C & C++ can be analyzed in combination with all other supported languages (including Java and .NET.)

SonarCloud automatic analysis for C and C++ is already available and ready to analyze. The quality of analysis is very similar to a CI-based analysis and, for most users, it is the only analysis you really need.


For other users, there are a few cases where a CI-based analysis remains a better option.

  • If your project is so big that the analysis cannot be completed before the analysis times out, automatic analysis will fail. 
  • If you require faster analysis. You should run the analysis using self-hosted resources with an increased hardware capacity. It would also allow you to keep full control of the analysis cache if needed.
  • If your project uses generated code that you want to analyze. For example, this can happen in some custom build systems.
  • If you need control over the configuration of your code. For example, with automatic analysis, you cannot choose your code’s target platform/architecture.  Automatic analysis uses a configuration that maximizes the amount of code analyzed and the OS and architecture used for this can differ from your own configuration.
  • If your project is experiencing missing issues. In rare cases, automatic analysis can lead to such limitations.  

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License