Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: SonarSource/sonar-scanner-npm
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 4.2.7
Choose a base ref
...
head repository: SonarSource/sonar-scanner-npm
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 4.2.8
Choose a head ref
  • 5 commits
  • 3 files changed
  • 3 contributors

Commits on Feb 19, 2025

  1. SCANNPM-67 Update CODEOWNERS after re-org (#188)

    @edward-gonzales-sonarsource
    edward-gonzales-sonarsource authored Feb 19, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    tonistiigi Tõnis Tiigi
    GPG key ID: AFA9DE5F8AB7AF39
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    72397d0 View commit details

Commits on Feb 20, 2025

  1. SCANNPM-69 - Change the homepage and bugs URLs of the package man… ( 

    #191)
    @ericmorand-sonarsource
    ericmorand-sonarsource authored Feb 20, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    tonistiigi Tõnis Tiigi
    GPG key ID: AFA9DE5F8AB7AF39
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    95afc8b View commit details

Commits on Feb 21, 2025

  1. SCANNPM-68 Prune README and move details to docs/ (#192)

    @kebetsi
    kebetsi authored Feb 21, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    tonistiigi Tõnis Tiigi
    GPG key ID: AFA9DE5F8AB7AF39
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    7a42dbd View commit details

Commits on Feb 24, 2025

  1. SCANNPM-71 Add new entry to FAQ for pnpm (#195)

    @kebetsi
    kebetsi authored Feb 24, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    tonistiigi Tõnis Tiigi
    GPG key ID: AFA9DE5F8AB7AF39
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    fa23a8b View commit details

Commits on Feb 25, 2025

  1. SCANNPM-72 Improve README and remove local docs, as we now reference … 

    …the one in docs.sonarsource.com (#196)
    @kebetsi
    kebetsi authored Feb 25, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    tonistiigi Tõnis Tiigi
    GPG key ID: AFA9DE5F8AB7AF39
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    3243bbb View commit details
Showing with 18 additions and 174 deletions.
  1. +1 −1 .github/CODEOWNERS
  2. +4 −0 .pmgrc.toml
  3. +13 −173 README.md
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# https://xtranet-sonarsource.atlassian.net/wiki/spaces/RE/pages/2169339970/GitHub+Authentication+Authorization#CODEOWNERS
.github/CODEOWNERS @sonarsource/analysis-js-squad
.github/CODEOWNERS @sonarsource/quality-web-squad

4 changes: 4 additions & 0 deletions .pmgrc.toml
View file
Original file line number Diff line number Diff line change
@@ -11,6 +11,10 @@ keywords = [
"sonar-scanner",
"sonar-runner"
]
homepage = "https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/npm/introduction/"

[data.bugs]
url = "https://community.sonarsource.com/tag/scanner"

[data.bin]
sonar = "bin/sonar-scanner.js"
186 changes: 13 additions & 173 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,209 +1,49 @@
# NPM module to run SonarQube Server and Cloud analyses

`sonarqube-scanner` makes it very easy to trigger SonarQube [Server](https://www.sonarqube.org)
`@sonar/scan` makes it very easy to trigger SonarQube [Server](https://www.sonarqube.org)
and [Cloud](https://sonarcloud.io) analyses on a JavaScript code base, without needing
to install any specific tool or (Java) runtime.

This module is analyzed on SonarQube Cloud.

[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=alert_status)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Maintainability](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=sqale_rating)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Reliability](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=reliability_rating)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Security](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=security_rating)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Releases](https://img.shields.io/github/release/SonarSource/sonar-scanner-npm.svg)](https://github.com/SonarSource/sonar-scanner-npm/releases)
[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=alert_status)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Maintainability](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=sqale_rating)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Reliability](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=reliability_rating)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Security](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-scanner-npm&metric=security_rating)](https://sonarcloud.io/project/overview?id=SonarSource_sonar-scanner-npm) [![Releases](https://img.shields.io/github/release/SonarSource/sonar-scanner-npm.svg)](https://github.com/SonarSource/sonar-scanner-npm/releases) [![npm version](https://badge.fury.io/js/@sonar%2Fscan.svg)](https://badge.fury.io/js/@sonar%2Fscan)

This is the documentation for v4. If you are using v3, refer to [the v3 documentation](https://github.com/SonarSource/sonar-scanner-npm/tree/37797347a30635647da5a45ed912a9ae77405b85).
This is the documentation for v4. If you are using v3, refer to [the v3 documentation](https://github.com/SonarSource/sonar-scanner-npm/tree/3.5.0).

## Installation

_Prerequisite: Node v18+ (for v4 and above)_

_Prerequisite: Node v16+ (for v3, otherwise use sonarqube-scanner v2.9.1)_
_Prerequisite: Node v16+ (for [v3](https://github.com/SonarSource/sonar-scanner-npm/tree/3.5.0), otherwise use sonarqube-scanner [v2.9.1](https://github.com/SonarSource/sonar-scanner-npm/tree/2.9.1))_

This package is available on npm as: `@sonar/scan`

To add code analysis to your build files, simply install the package to your project dev dependencies:

```sh
npm install -D @sonar/scan
```
This package is available on npm as: [`@sonar/scan`](https://www.npmjs.com/package/@sonar/scan)

To install the scanner globally and be able to run analyses on the command line:

```sh
npm install -g @sonar/scan
```

## Usage: add code analysis to your build files

_Prerequisite: you've installed the package as a dev dependency._

The following example shows how to run an analysis on a JavaScript
project, and pushing the results to a SonarQube instance:

```javascript
const scanner = require('@sonar/scan').default;

scanner(
{
serverUrl: 'https://sonarqube.mycompany.com',
token: '019d1e2e04eefdcd0caee1468f39a45e69d33d3f',
options: {
'sonar.projectName': 'My App',
'sonar.projectDescription': 'Description for "My App" project...',
'sonar.sources': 'src',
'sonar.tests': 'test',
},
},
error => {
if (error) {
console.error(error);
}
process.exit();
},
);
```

**Syntax:** sonarqube-scanner **(** `parameters`, [`callback`] **)**

**Arguments**

- `parameters` _Map_
- `serverUrl` _String_ (optional) The URL of the SonarQube Server or Cloud host. Defaults to https://sonarcloud.io
- `token` _String_ (optional) The token used to connect to the SonarQube Server v10+ or SonarQube Cloud. Empty by default.
- `options` _Map_ (optional) Used to pass extra parameters for the analysis. See the [official documentation](http://redirect.sonarsource.com/doc/analysis-parameters.html) for more details.
- `callback` _Function_ (optional)
Callback (the execution of the analysis is asynchronous).
## Getting Started

## Usage: run analyses on the command line

_Prerequisite: you've installed the package globally._

If you want to run an analysis without having to configure anything in the first place, simply run the `sonar-scanner` command. The following
If you want to run an analysis without having to configure anything in the first place, simply run the `sonar` command. The following
example assumes that you have installed SonarQube Server locally:

```
cd my-project
sonar-scanner
sonar
```

**Specifying properties/settings**

- If there's a `package.json` file in the folder, it will be read to feed the analysis with basic information (like project name or version)
- If there's a `sonar-project.properties` file in the folder, it will behave like the [original SonarScanner](https://redirect.sonarsource.com/doc/install-configure-scanner.html)
- Additional [analysis parameters](https://redirect.sonarsource.com/doc/analysis-parameters.html) can be passed on the command line using the standard `-Dsonar.xxx=yyy` syntax

- Example:
or you can use `npx` without installing:

`sonar-scanner -Dsonar.host.url=https://myserver.com -Dsonar.token=019d1e2e04e`

## Usage: run analyses with npx

To run analyses without explicitly installing the scanner, run the following command instead:

```sh
npx @sonar/scan
```

Similar to the above, you can specify analysis properties and settings using either a `package.json` file, a `sonar-project.properties` file, or command line arguments.

## FAQ

#### _I constantly get "Impossible to download and extract binary [...] In such situation, the best solution is to install the standard SonarScanner", what can I do?_

You can install manually the [standard SonarScanner](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/),
which requires to have a Java Runtime Environment available too (Java 8+).

It is important to make sure that the SonarScanner `$install_directory/bin` location is added to the system `$PATH` environment variable. This will ensure that `sonar-scanner` command will be resolved by the customScanner, and prevent the error:

```javascript
Error: Local install of SonarScanner not found.
at getLocalSonarScannerExecutable (<project_dir>/node_modules/@sonar/scan/src/sonar-scanner-executable.js:153:11)
at scanUsingCustomScanner (<project_dir>/node_modules/@sonar/scan/src/index.js:52:3)
...
```

Once local installation is done, you can replace the 2nd line of the example:

```javascript
var scanner = require('@sonar/scan').customScanner;
```

### In my Docker container, the scanner fails with ".../jre/bin/java: not found", how do I solve this?

You are probably relying on Alpine for your Docker image, and Alpine does not include glibc by default.
It needs to be [installed manually](https://laptrinhx.com/docker-for-mac-alpine-glibc-issues-802275018).

Thanks to [Philipp Eschenbach](https://github.com/peh) for troubleshooting this on [issue #59](https://github.com/bellingard/sonar-scanner-npm/issues/59).

## Download From Mirrors (SQ < 10.6 only)

By default, the scanner binaries are downloaded from `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/`.
To use a custom mirror, set `$SONAR_SCANNER_MIRROR`. Or download precise version with `$SONAR_SCANNER_VERSION`

**Example:**

```shell
export SONAR_SCANNER_MIRROR=https://npm.taobao.org/mirrors/sonar-scanner/
export SONAR_SCANNER_VERSION=3.2.0.1227
```

or alternatively set variable in `.npmrc`

```
sonar_scanner_mirror=https://npm.taobao.org/mirrors/sonar-scanner/
sonar_scanner_version=3.2.0.1227
```

For mirrors using Basic HTTP authentication (e.g. Sonatype Nexus 3 `raw-proxy`, Artifactory with `artifactory-cache-proxy`), simply specify the username and password
as part of the URL:

```shell
export SONAR_SCANNER_MIRROR=https://username:password@repo.example.com/mirrors/sonar-scanner/
```

Proxy authentication is supported as well, see below.

## Specifying the cache folder

By default, the scanner binaries are cached into `$HOME/.sonar/native-sonar-scanner` folder.
To use a custom cache folder instead of `$HOME`, set `$SONAR_BINARY_CACHE`.

**Example:**

```shell
export SONAR_BINARY_CACHE=/Users/myaccount/cache
```

or alternatively set variable in `.npmrc`

```
sonar_binary_cache=/Users/myaccount/cache
```

## Download behind proxy

We support the environment variables `http_proxy`/`https_proxy`/`no_proxy` to be able to download binaries behind a proxy.

**Example:**

```shell
export http_proxy=http://mycompanyproxy.com:PORT
export https_proxy=http://mycompanyproxy.com:PORT
#export no_proxy=.some-domain.io # (Optional)

export http_proxy=https://encryptedcompanyproxy.com:PORT
export https_proxy=https://encryptedcompanyproxy.com:PORT
#export no_proxy=.some-domain.io # (Optional)
cd my-project
npx @sonar/scan
```

**Behind authenticated proxy:**

```shell
export http_proxy=http://user:password@mycompanyproxy.com:PORT
export https_proxy=http://user:password@mycompanyproxy.com:PORT
#export no_proxy=.some-domain.io # (Optional)
## Documentation

export http_proxy=https://user:password@encryptedcompanyproxy.com:PORT
export https_proxy=https://user:password@encryptedcompanyproxy.com:PORT
#export no_proxy=.some-domain.io # (Optional)
```
For the extended information, please refer to its [documentation](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/npm/introduction/).

## License