sonarqube-scanner

What is sonarqube-scanner?

The sonarqube-scanner npm package is a tool that allows you to perform static code analysis using SonarQube from within your Node.js projects. It helps in identifying bugs, vulnerabilities, and code smells in your codebase by integrating with the SonarQube server.

What are sonarqube-scanner's main functionalities?

Basic Scan

This feature allows you to perform a basic scan of your project by specifying the SonarQube server URL and project options such as the project key and source directory.

const scanner = require('sonarqube-scanner');

scanner(
  {
    serverUrl: 'http://localhost:9000',
    options: {
      'sonar.projectKey': 'my-project',
      'sonar.sources': 'src',
    },
  },
  () => process.exit()
);

Custom Configuration

This feature allows you to customize the scan configuration by including or excluding specific files and directories.

const scanner = require('sonarqube-scanner');

scanner(
  {
    serverUrl: 'http://localhost:9000',
    options: {
      'sonar.projectKey': 'my-project',
      'sonar.sources': 'src',
      'sonar.inclusions': '**/*.js',
      'sonar.exclusions': 'node_modules/**',
    },
  },
  () => process.exit()
);

Authentication

This feature allows you to authenticate with the SonarQube server using a token, which is useful for secure environments.

const scanner = require('sonarqube-scanner');

scanner(
  {
    serverUrl: 'http://localhost:9000',
    token: 'your-sonarqube-token',
    options: {
      'sonar.projectKey': 'my-project',
      'sonar.sources': 'src',
    },
  },
  () => process.exit()
);

Other packages similar to sonarqube-scanner

eslint

ESLint is a widely-used tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. It is highly configurable and can be extended with custom rules. Unlike sonarqube-scanner, ESLint focuses solely on linting JavaScript code and does not provide the comprehensive static analysis features of SonarQube.

jshint

JSHint is another popular static code analysis tool for JavaScript. It helps detect errors and potential problems in your JavaScript code. While it is similar to ESLint, JSHint is less configurable and has fewer features compared to ESLint and sonarqube-scanner.

tslint

TSLint is a linter for TypeScript code, providing static analysis and code quality checks. It is similar to ESLint but specifically designed for TypeScript. TSLint is now deprecated in favor of ESLint with TypeScript support, and it does not offer the extensive analysis capabilities of sonarqube-scanner.

README

NPM module to run SonarQube Server and Cloud analyses

@sonar/scan makes it very easy to trigger SonarQube Server and Cloud analyses on a JavaScript code base, without needing to install any specific tool or (Java) runtime.

This module is analyzed on SonarQube Cloud.

This is the documentation for v4. If you are using v3, refer to the v3 documentation.

Installation

Prerequisite: Node v18+ (for v4 and above)

Prerequisite: Node v16+ (for v3, otherwise use sonarqube-scanner v2.9.1)

This package is available on npm as: @sonar/scan

To install the scanner globally and be able to run analyses on the command line:

npm install -g @sonar/scan

Getting Started

If you want to run an analysis without having to configure anything in the first place, simply run the sonar command. The following example assumes that you have installed SonarQube Server locally:

cd my-project
sonar

or you can use npx without installing:

cd my-project
npx @sonar/scan

Documentation

For the extended information, please refer to its documentation.

License

@sonar/scan is licensed under the LGPL v3 License.