External Analyzer Reports
Many languages have dedicated analyzers (also known as linters) that are commonly used to spot problems in code. SonarCloud can integrate the results from many of these external analyzers. This lets you see this information alongside the other SonarCloud metrics and allows the external results to be taken into account when calculating quality gate status.
To set this up you need to configure some SonarCloud analysis parameters in your build environment. Note that external analyzer report integration is only available for CI-based analysis. It is not available for automatic analysis.
Below, you'll find language- and tool-specific analysis parameters for importing reports generated by external analyzers. For information on analysis parameters in general, see Analysis Parameters.
For instructions on generating reports using various external analyzers, see the Guides category of the SonarSource Community forum.
Parameters
Some properties support the following wildcards in paths. The remarks for properties that support wildcards will mention that fact. If wildcards are not mentioned, then they are not supported.
| Symbol | Meaning |
? | a single character |
* | any number of characters |
** | any number of directories |
Unless otherwise specified, the following properties accept both absolute paths and paths relative to the project root.
Apex
sonar.apex.pmd.reportPaths
Comma-delimited list of paths to PMD Apex, XML reports.
CloudFormation
sonar.cloudformation.cfn-lint.reportPaths
Comma-delimited list of paths to AWS CloudFormation Linter reports in JSON format
CSS
sonar.css.stylelint.reportPaths
Comma-delimited list of paths to StyleLint.io reports.
Docker
sonar.docker.hadolint.reportPaths
Comma-delimited list of paths to Hadolint reports in JSON and `sonarqube` format
Go
sonar.go.govet.reportPaths
Comma-delimited list of paths to GoVet reports.
sonar.go.golint.reportPaths
Comma-delimited list of paths to GoLint reports.
sonar.go.gometalinter.reportPaths
Comma-delimited list of paths to GoMetaLinter reports.
sonar.go.golangci-lint.reportPaths
Comma-delimited list of paths to golangci-lint reports in checkstyle format (use --out-format checkstyle golangci-lint option).
sonar.externalIssuesReportPaths
Comma-delimited list of paths to gosec reports in SonarQube format (use -fmt=sonarqube gosec option). Note: this is the Generic Issue Data parameter.
Java
sonar.java.spotbugs.reportPaths
Comma-delimited list of paths to reports from SpotBugs, FindSecBugs, or FindBugs.
sonar.java.pmd.reportPaths
Comma-delimited list of paths to reports from PMD.
sonar.java.checkstyle.reportPaths
Comma-delimited list of paths to reports from Checkstyle.
JavaScript
sonar.eslint.reportPaths
Comma-delimited list of paths to JSON ESLint reports (use -f json ESLint option).
Kotlin
sonar.androidLint.reportPaths
Comma-delimited list of paths to AndroidLint reports.
sonar.kotlin.detekt.reportPaths
Comma-delimited list of paths to Detekt reports.
PHP
sonar.php.psalm.reportPaths
Comma-delimited list of paths to Psalm reports. SonarCloud expects the reports to be generated in the Generic Issue Format. To produce this format, run Psalm with the option --output-format sonarcloud (or --output-format sonarqube).
sonar.php.phpstan.reportPaths
Comma-delimited list of paths to PHPStan reports. SonarCloud expects the reports to be generated in the PHPStan JSON Output Format. To produce this format, run the PHPStan analyse command with the option --error-format=json.
Python
sonar.python.pylint.reportPaths
Comma-delimited list of paths to Pylint reports (use --output-format=parseable Pylint option).
sonar.python.bandit.reportPaths
Comma-delimited list of paths to Bandit reports.
sonar.python.flake8.reportPaths
Comma-delimited list of paths to Flake8 reports.
sonar.python.mypy.reportPaths
comma-delimited list of paths to Mypy reports.
Ruby
sonar.ruby.rubocop.reportPaths
Comma-delimited list of paths to Rubocop reports.
Scala
sonar.scala.scalastyle.reportPaths
Comma-delimited list of paths to Scalastyle reports.
sonar.scala.scapegoat.reportPaths
Comma-delimited list of paths to Scapegoat reports in the Scalastyle format.
Swift
sonar.swift.swiftLint.reportPaths
Comma-delimited list of paths to SwiftLint reports in JSON format.
Terraform
sonar.terraform.tfLint.reportPaths
Comma-delimited list of paths to TFLint reports in JSON format
TypeScript
sonar.typescript.tslint.reportPaths
Comma-delimited list of paths to TSLint reports in JSON format (use -t json TSLint option).
C#
sonar.cs.roslyn.ignoreIssues
Set to true to disable import of external issues. Defaults to false.
sonar.cs.roslyn.bugCategories
Comma-delimited list of categories whose issues should be classified as bugs.
sonar.cs.roslyn.vulnerabilityCategories
Comma-delimited list of categories whose issues should be classified as vulnerabilities.
sonar.cs.roslyn.codeSmellCategories
Comma-delimited list of categories whose issues should be classified as code smells.
VB.NET
sonar.vbnet.roslyn.ignoreIssues
Set to true to disable import of external issues. Defaults to false.
sonar.vbnet.roslyn.bugCategories
Comma-delimited list of categories whose issues should be classified as bugs.
sonar.vbnet.roslyn.vulnerabilityCategories
Comma-delimited list of categories whose issues should be classified as vulnerabilities.
sonar.vbnet.roslyn.codeSmellCategories
Comma-delimited list of categories whose issues should be classified as code smells.
Notes on external .NET (C# or VB.NET) issues
Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarCloud so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.
Note that Roslyn issues with an error severity automatically fail the build, and it is not recommended to run the SonarScanner for .NET's end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis, which will close all outstanding issues in the project.