External analyzer reports

How to import into SonarQube Cloud issues generated by third-party analyzers.

Many languages have dedicated analyzers (also known as linters) that are commonly used to spot problems in code. SonarQube can integrate the results from many of these external analyzers. This lets you see this information alongside the other SonarQube metrics and allows the external results to be taken into account when calculating quality gate status.

The sections below explain, for each language, how to integrate external analyzers with SonarQube Cloud. In particular, they detail the analysis parameter that is required within your build environment. For more information about the analysis parameter setup on the CI/CD host, see Analysis parameters.

If your analyzer doesn't integrate with SonarQube Cloud, you can import the external issues either in the generic SonarQube format or in the SARIF format. See Generic issue data or SARIF reports.

Limitations

External analyzer report integration is only available for CI-based analysis. It is not available for automatic analysis.

The external issues will be taken into account by SonarQube in the analysis report and users will be able to resolve an external issue the same way as an internal issue.

But external issues have an important limitation. The activation of the rules that raise these issues cannot be managed within SonarQube. External rules are not visible on the Rules page or reflected in any quality profile.

Managing an external issue within SonarQube has no impact on its state in the external tool. For example, when you mark an issue as false positive in SonarQube, it is not reflected in the external tool.

List of supported analyzers

The table below lists the third-party analyzers that integrate with SonarQube Cloud.

Language

External analyzers

Ansible

ansible-lint

Apex

PMD

Cloudformation

AWS CloudFormation Linter

C/C++/Objective-C

Valgrind Memcheck, Valgrind Helgrind

C#/VB.NET

Roslyn (inc. Roslyn analyzers provided by Microsoft)

CSS

StyleLint.io

Docker

Hadolint

GoVet, GoLint, GoMetaLinter, golanci-lint, gosec

Java

SpotBugs, FindSecBugs, FindBugs, PMD, Checkstyle

JavaScript/TypeScript

ESLint

Kotlin

AndroidLint, Detekt, Ktlint

PHP

Psalm, PHPStan

Python

Pylint, Bandit, Flake8, Mypy, Ruff

Ruby

Rubocop

Scala

Scalastyle, Scapegoat

Swift

SwiftLint

Terraform

TFLint

Ansible

You can integrate the following Ansible analyzer with SonarQube: ansible-lint.

To setup the import of issues generated by ansible-lint:

Set up the generation of the reports by ansible-lint in SARIF format and their storing in dedicated import directory(ies). To do so, use the --sarif-file ansible-lint option.
Set up the import of the generated report files by SonarQube. To do so, define on the CI/CD host the analysis parameter sonar.ansible.ansible-lint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Apex

You can integrate the following Apex analyzer with SonarQube: PMD. Note that the format of PMD reports generated by sfdx-scanner does not seem to perfectly match the format used by PMD.

To setup the import of issues generated by PMD:

Set up the generation of the reports by PMD and their storing in dedicated import directory(ies).
Set up the import of the generated report files by SonarQube. To do so, define on the CI/CD host the analysis parameter sonar.apex.pmd.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Cloudformation

You can integrate the following Cloudformation analyzer with SonarQube: AWS CloudFormation Linter.

To setup the import of issues generated by AWS CloudFormation Linter:

Set up the generation of the reports by AWS CloudFormation Linter in JSON format and their storing in a dedicated import directory(ies).
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.cloudformation.cfn-lint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

C/C++/Objective-C

You can integrate the following C/C++/Objective-C analyzers with SonarQube: Valgrind Memcheck and Valgrind Helgrind.

To setup the import of issues generated by Valgrind Memcheck or Helgrind:

Set up the generation of the reports by Valgrind Memcheck or Helgrind in XML format and their storing in dedicated import directory(ies). To do so, use the Valgrind's XML output facility (--xml=yes).
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.cfamily.valgrind.reportsPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

C#/VB.NET

Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.

Language

Property

Description

sonar.cs.roslyn.ignoreIssues

Set to true to disable import of external issues. Defaults to false.

sonar.cs.roslyn.bugCategories

sonar.cs.roslyn.vulnerabilityCategories

sonar.cs.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells.

VB.NET

sonar.vbnet.roslyn.ignoreIssues

Set to true to disable import of external issues. Defaults to false.

VB.NET

sonar.vbnet.roslyn.bugCategories

sonar.vbnet.roslyn.vulnerabilityCategories

sonar.vbnet.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells.

Roslyn issues with an error severity automatically fail the build, and it is not recommended to run the SonarScanner for .NET’s end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis, which will close all outstanding issues in the project. See Configuring the scanner for .NET for more information.

CSS

You can integrate the following CSS analyzer with SonarQube: Stylelint.

To setup the import of issues generated by Stylelint:

Set up the generation of the reports by Stylelint and their storing in dedicated import directory(ies). Command example:

stylelint src/*.css --config stylelintconfig.json -f json > stylelint-report.json

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.css.stylelint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Docker

You can integrate the following Docker analyzers with SonarQube: Hadolint.

To setup the import of issues generated by Hadolint:

Set up the generation of the reports by Hadolint in JSON or SonarQube format, and their storing in dedicated import directory(ies).
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.docker.hadolint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Go

You can integrate the following Go analyzers with SonarQube: Govet, GoLint, GoMetaLinter, golanci-lint, and gosec.

To setup the import of issues generated by Govet:

Set up the generation of the reports by Govet and their storing in dedicated import directory(ies). Command example:

go vet 2> govet-report.out

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.go.govet.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by GoLint:

Set up the generation of the reports by Govet and their storing in dedicated import directory(ies). Command example:

golint > golint-report.out

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.go.golint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by GoMetaLinter:

Set up the generation of the reports by GoMetaLinterand their storing in dedicated import directory(ies). Command example:

gometalinter > gometalinter-report.out

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.go.gometalinter.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by golangci-lint:

Set up the generation of the reports by golangci-lint in checkstyle format and their storing in dedicated import directory(ies). For the report generation, use the --out-format checkstyle golangci-lint option.
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.go.golangci-lint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by gosec:

Set up the generation of the reports by golangci-lint in SonarQube format and their storing in dedicated import directory(ies).
For the report generation, use the -fmt=sonarqube gosec option.
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.externalIssuesReportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Java

You can integrate the following Java analyzers with SonarQube: SpotBugs, FindSecBugs, FindBugs, PMD, and Checkstyle. The setup differs depending on whether you use Maven or not.

To setup the import of issues generated by SpotBugs, FindSecBugs, FindBugs, PMD, and Checkstyle if you use Maven:

Open your pom.xml and in the section add the following plugins:

<plugin>
<groupId>org.apache.maven.plugins</groupId>
   <artifactId>maven-pmd-plugin</artifactId>
   <version> 3.10 . 0 </version>
</plugin>
<plugin>
   <groupId>com.github.spotbugs</groupId>
   <artifactId>spotbugs-maven-plugin</artifactId>
   <version> 3.1 . 1 </version>
   <configuration>
     <effort>Max</effort>
     <threshold>Low</threshold>
     <failOnError> true </failOnError>
     <includeFilterFile>${session.executionRootDirectory}/spotbugs-include.xml</includeFilterFile>
     <plugins>
       <plugin>
         <groupId>com.h3xstream.findsecbugs</groupId>
         <artifactId>findsecbugs-plugin</artifactId>
         <version>LATEST</version> <!-- Auto-update to the latest stable -->
       </plugin>
     </plugins>
   </configuration>
</plugin>

Add or update the section with:

<properties>
<sonar.java.spotbugs.reportPaths>./target/spotbugsXml.xml</sonar.java.spotbugs.reportPaths>
  <sonar.java.pmd.reportPaths>./target/pmd.xml</sonar.java.pmd.reportPaths>`
  <sonar.java.checkstyle.reportPaths>./target/checkstyle-result.xml</sonar.java.checkstyle.reportPaths>
</properties>

Execute the command below:

mvn clean package spotbugs:spotbugs pmd:pmd checkstyle:checkstyle sonar:sonar

To setup the import of issues generated by SpotBugs, FindSecBugs, FindBugs, PMD, and Checkstyle if you don't use Maven:

Set up the generation of the reports by your third-party tool, and their storing in dedicated import directory(ies).
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the following analysis parameter with the list of import directories or files:
- For SpotBugs, FindSecBugs and FindBugs: sonar.java.spotbugs.reportPaths
- For PMD: sonar.java.pmd.reportPaths
- For Checkstyle: sonar.java.checkstyle.reportPaths

These parameters accept a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

JavaScript/TypeScript

You can integrate the following JavaScript/TypeScript analyzer with SonarQube: ESLint.

To setup the import of issues generated by ESLint:

Set up the generation of the reports by ESLint in JSON format, and their storing in dedicated import directory(ies). Command example:

eslint ./ -f json > eslint-report.json

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.eslint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Kotlin

You can integrate the following Kotlin analyzers with SonarQube: AndroidLint, Detekt, and Ktlint.

To setup the import of issues generated by AndroidLint:

Set up the generation of the reports by AndroidLint, and their storing in dedicated import directory(ies). Command example:

gradle lint or $ANDROID_HOME/tools/bin/lint --xml lint-results.xml path/to/project

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.androidLint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by Detekt:

Set up the generation of the reports by Detekt, and their storing in dedicated import directory(ies). Command example:

java -jar path/to/detekt-cli-1.0.0.RC7-3-all.jar -i path/to/project -o path/to/report-directory

Set up the import of the generated report files by SonarQube by defining on the scanner side the analysis parameter sonar.kotlin.detekt.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by Ktlint:

Set up the generation of the reports by Ktlint, and their storing in dedicated import directory(ies).
Set up the import of the generated report files by SonarQube by defining on the scanner side the analysis parameter sonar.kotlin.ktlint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

PHP

You can integrate the following PHP analyzers with SonarQube: Psalm and PHPStan.

To setup the import of issues generated by Psalm:

Set up the generation of the reports by Psalm in the SonarQube format, and their storing in dedicated import directory(ies). To do so, use the --output-format sonarqube Psalm option.
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.php.psalm.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by PHPStan:

Set up the generation of the reports by PHPStan in JSON format, and their storing in dedicated import directory(ies). To do so, use the PHPStan analyse command with the option --error-format=json.
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.php.phpstan.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Python

You can integrate the following Python analyzers with SonarQube: Pylint, Bandit, Flake8, Mypy, and Ruff.

To setup the import of issues generated by Pylint:

Set up the generation of the reports by Pylint, and their storing in dedicated import directory(ies). Use the use --output-format=parseable Pylint option Command example:

pylint <module_or_package> -r n  --output-format=parseable --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > <report_file>

Set up the import of the generated report files by SonarQube by defining on the scanner side the analysis parameter sonar.python.pylint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by Bandit:

Set up the generation of the reports by Bandit, and their storing in dedicated import directory(ies). Command example:

bandit --format json --output bandit-report.json --recursive /path/to/your/python/project

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.python.bandit.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

To setup the import of issues generated by Flake8, Mypy or Ruff:

Set up the generation of the reports by your third-party tool, and their storing in dedicated import directory(ies).
Set up the import of the generated report files by SonarQube by defining on the scanner side the following analysis parameter with the list of import directories or files:
- For Flake8: sonar.python.flake8.reportPaths
- For Mypy: sonar.python.mypy.reportPaths
- For Ruff: sonar.python.ruff.reportPaths

Ruby

You can integrate the following Ruby analyzer with SonarQube: Rubocop.

To setup the import of issues generated by Rubocop:

Set up the generation of the reports by Rubocop, and their storing in dedicated import directory(ies). Command example:

rubocop --format json --out rubocop-report.json

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.ruby.rubocop.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Scala

You can integrate the following Scala analyzers with SonarQube: Scalastyle and Scapegoat.

To setup the import of issues generated by Scalastyle or Scapegoat:

Set up the generation of the reports in the Scalastyle format for both Scalastyle and Scapegoat. Setup also the storing of the generated report files in dedicated import directory(ies).
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the following analysis parameter with the list of import directories or files:

For Scalastyle : sonar.scala.scalastyle.reportPaths
For Scapegoat: sonar.scala.scapegoat.reportPaths

Swift

You can integrate the following Swift analyzer with SonarQube: Swiftlint.

To setup the import of issues generated by Swiftlint:

Set up the generation of the reports by Swiftlint in JSON format, and their storing in dedicated import directory(ies). Command example:

swiftlint lint --reporter json > swiftlint.json

Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.swift.swiftLint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

Terraform

You can integrate the following Terraform analyzer with SonarQube: TFLint.

To setup the import of issues generated by TFLint:

Set up the generation of the reports by TFLint, and their storing in dedicated import directory(ies).
Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.terraform.tflint.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir property (which is by default the directory from which the analysis was started) or absolute.

PreviousTest coverage parameters NextGeneric issue data

Last updated 11 hours ago

Was this helpful?