sonarqube-scanner
Advanced tools
The sonarqube-scanner npm package is a tool that allows you to perform static code analysis using SonarQube from within your Node.js projects. It helps in identifying bugs, vulnerabilities, and code smells in your codebase by integrating with the SonarQube server.
Basic Scan
This feature allows you to perform a basic scan of your project by specifying the SonarQube server URL and project options such as the project key and source directory.
const scanner = require('sonarqube-scanner');
scanner(
{
serverUrl: 'http://localhost:9000',
options: {
'sonar.projectKey': 'my-project',
'sonar.sources': 'src',
},
},
() => process.exit()
);Custom Configuration
This feature allows you to customize the scan configuration by including or excluding specific files and directories.
const scanner = require('sonarqube-scanner');
scanner(
{
serverUrl: 'http://localhost:9000',
options: {
'sonar.projectKey': 'my-project',
'sonar.sources': 'src',
'sonar.inclusions': '**/*.js',
'sonar.exclusions': 'node_modules/**',
},
},
() => process.exit()
);Authentication
This feature allows you to authenticate with the SonarQube server using a token, which is useful for secure environments.
const scanner = require('sonarqube-scanner');
scanner(
{
serverUrl: 'http://localhost:9000',
token: 'your-sonarqube-token',
options: {
'sonar.projectKey': 'my-project',
'sonar.sources': 'src',
},
},
() => process.exit()
);ESLint is a widely-used tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. It is highly configurable and can be extended with custom rules. Unlike sonarqube-scanner, ESLint focuses solely on linting JavaScript code and does not provide the comprehensive static analysis features of SonarQube.
JSHint is another popular static code analysis tool for JavaScript. It helps detect errors and potential problems in your JavaScript code. While it is similar to ESLint, JSHint is less configurable and has fewer features compared to ESLint and sonarqube-scanner.
TSLint is a linter for TypeScript code, providing static analysis and code quality checks. It is similar to ESLint but specifically designed for TypeScript. TSLint is now deprecated in favor of ESLint with TypeScript support, and it does not offer the extensive analysis capabilities of sonarqube-scanner.
@sonar/scan makes it very easy to trigger SonarQube Server
and Cloud analyses on a JavaScript code base, without needing
to install any specific tool or (Java) runtime.
This module is analyzed on SonarQube Cloud.
This is the documentation for v4. If you are using v3, refer to the v3 documentation.
Prerequisite: Node v18+ (for v4 and above)
Prerequisite: Node v16+ (for v3, otherwise use sonarqube-scanner v2.9.1)
This package is available on npm as: @sonar/scan
To install the scanner globally and be able to run analyses on the command line:
npm install -g @sonar/scan
If you want to run an analysis without having to configure anything in the first place, simply run the sonar command. The following
example assumes that you have installed SonarQube Server locally:
cd my-project
sonar
or you can use npx without installing:
cd my-project
npx @sonar/scan
For the extended information, please refer to its documentation.
@sonar/scan is licensed under the LGPL v3 License.
FAQs
SonarQube/SonarCloud Scanner for the JavaScript world
The npm package sonarqube-scanner receives a total of 382,138 weekly downloads. As such, sonarqube-scanner popularity was classified as popular.
We found that sonarqube-scanner demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket and Seal Security collaborate to fix a critical npm overrides bug, resolving a three-year security issue in the JavaScript ecosystem's most popular package manager.
Security News
TypeScript is porting its compiler to Go, delivering 10x faster builds, lower memory usage, and improved editor performance for a smoother developer experience.
Research
Security News
The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.