sonarqube-scanner

What is sonarqube-scanner?

The sonarqube-scanner npm package is a tool that allows you to perform static code analysis using SonarQube from within your Node.js projects. It helps in identifying bugs, vulnerabilities, and code smells in your codebase by integrating with the SonarQube server.

What are sonarqube-scanner's main functionalities?

Basic Scan

This feature allows you to perform a basic scan of your project by specifying the SonarQube server URL and project options such as the project key and source directory.

const scanner = require('sonarqube-scanner');

scanner(
  {
    serverUrl: 'http://localhost:9000',
    options: {
      'sonar.projectKey': 'my-project',
      'sonar.sources': 'src',
    },
  },
  () => process.exit()
);

Custom Configuration

This feature allows you to customize the scan configuration by including or excluding specific files and directories.

const scanner = require('sonarqube-scanner');

scanner(
  {
    serverUrl: 'http://localhost:9000',
    options: {
      'sonar.projectKey': 'my-project',
      'sonar.sources': 'src',
      'sonar.inclusions': '**/*.js',
      'sonar.exclusions': 'node_modules/**',
    },
  },
  () => process.exit()
);

Authentication

This feature allows you to authenticate with the SonarQube server using a token, which is useful for secure environments.

const scanner = require('sonarqube-scanner');

scanner(
  {
    serverUrl: 'http://localhost:9000',
    token: 'your-sonarqube-token',
    options: {
      'sonar.projectKey': 'my-project',
      'sonar.sources': 'src',
    },
  },
  () => process.exit()
);

Other packages similar to sonarqube-scanner

eslint

ESLint is a widely-used tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. It is highly configurable and can be extended with custom rules. Unlike sonarqube-scanner, ESLint focuses solely on linting JavaScript code and does not provide the comprehensive static analysis features of SonarQube.

jshint

JSHint is another popular static code analysis tool for JavaScript. It helps detect errors and potential problems in your JavaScript code. While it is similar to ESLint, JSHint is less configurable and has fewer features compared to ESLint and sonarqube-scanner.

tslint

TSLint is a linter for TypeScript code, providing static analysis and code quality checks. It is similar to ESLint but specifically designed for TypeScript. TSLint is now deprecated in favor of ESLint with TypeScript support, and it does not offer the extensive analysis capabilities of sonarqube-scanner.

README

NPM module to run SonarQube/SonarCloud analyses

sonarqube-scanner makes it very easy to trigger SonarQube / SonarCloud analyses on a JavaScript code base, without needing to install any specific tool or (Java) runtime.

This module is analyzed on SonarCloud using itself:

• See the Gulp file
• See the analysis results on SonarCloud

Installation

This package is available on npm as: sonarqube-scanner

To add code analysis to your build files, simply add the package to your project dev dependencies:

npm install -D sonarqube-scanner

To install the scanner globally and be able to run analyses on the command line:

npm install -g sonarqube-scanner

Usage: add code analysis to your build files

Prerequisite: you've installed the package as a dev dependency.

The following example shows how to run an analysis on a JavaScript project using Gulp, and pushing the results to SonarCloud, the online code-analysis service based on SonarQube:

var gulp = require('gulp');
var sonarqubeScanner = require('sonarqube-scanner');

gulp.task('default', function(callback) {
  sonarqubeScanner({
    serverUrl : "https://sonarcloud.io",
    token : "019d1e2e04eefdcd0caee1468f39a45e69d33d3f",
    options : {
      "sonar.organization": "my-org"
    }
  }, callback);
});

Syntax: sonarqube-scanner ( parameters, [callback] )

Arguments

• parameters Map
  • serverUrl String (optional) The URL of the SonarQube server. Defaults to http://localhost:9000
  • token String (optional) The token used to connect to the SonarQube server. Empty by default.
  • options Map (optional) Used to pass extra parameters for the SonarQube analysis. See the official documentation for more details.
• callback Function (optional) Callback (the execution of the analysis is asynchronous).

Usage: run analyses on the command line

Prerequisite: you've installed the package globally.

If you want to run an analysis without having to configure anything in the first place, simply run the sonar-scanner command. The following example assumes that you have installed SonarQube locally:

cd my-project
sonar-scanner

Specifying properties/settings

• If there's a package.json file in the folder, it will be read to feed the analysis with basic information (like project name or version)
• If there's a sonar-project.properties file in the folder, it will behave like the original SonarQube Scanner
• Additional analysis parameters can be passed on the command line using the standard -Dsonar.xxx=yyy syntax

  • Example:

    sonar-scanner -Dsonar.host.url=https://myserver.com -Dsonar.login=019d1e2e04e

FAQ

I constantly get "Impossible to download and extract binary [...] In such situation, the best solution is to install the standard SonarQube Scanner", what can I do?

You can install manually the standard SonarQube Scanner, which requires to have a Java Runtime Environment available too (Java 8+). Once this is done, you can replace the 2nd line of the example by:

var sonarqubeScanner = require('sonarqube-scanner').customScanner;

Download From Mirrors

By default, SonarQube scanner binaries are downloaded from https://sonarsource.bintray.com/Distribution/sonar-scanner-cli/. To use a custom mirror, set $SONAR_SCANNER_MIRROR.

Example:

export SONAR_SCANNER_MIRROR=https://npm.taobao.org/mirrors/sonar-scanner/

License

sonarqube-scanner is licensed under the LGPL v3 License.