Skip to content

SonarQube

Run SonarQube

Start SonarQube using Docker:

docker run -d --name sonarqube \
  -p 9000:9000 \
  sonarqube:community

SonarQube will be available at: 

http://localhost:9000

⏳ Initial startup may take 1–2 minutes.

Initial Login

  • Username: admin
  • Password: admin

You will be required to change the password on first login.

Create a Project

1- Log in to SonarQube

2- Create a new project

3- Copy the Project Key

The Project Key uniquely identifies the project in SonarQube.

Generate an Analysis Token

1- Navigate to: 

Account → My Account → Security

2- Generate a new token:

  • Name: any descriptive name (e.g. sonar-analysis)
  • Type: Global Analysis

3- Copy the token immediately

⚠️ Tokens are displayed only once. Store them securely.

Configure the Repository

In the root directory of the repository to analyze, create the following file:

sonar-project.properties 

sonar.projectKey=[PROJECT_KEY]
sonar.projectName=[PROJECT_KEY]
sonar.projectVersion=1.0

sonar.sources=.
sonar.sourceEncoding=UTF-8

# Python configuration
sonar.python.version=3.10

# Exclusions
sonar.exclusions=**/venv/**,**/.venv/**,**/__pycache__/**,**/build/**,**/dist/**,**/.git/**

# SonarQube server
sonar.host.url=http://localhost:9000
sonar.token=[SONAR_TOKEN]

⚠️ Security warning Do not commit this file if it contains secrets. Use environment variables or CI/CD secrets instead.

Run Sonar Scanner

The analysis is performed using the official Docker-based Sonar Scanner.

Linux 

docker run --rm \
  -e SONAR_HOST_URL="http://172.17.0.1:9000" \
  -e SONAR_TOKEN="[SONAR_TOKEN]" \
  -v "$(pwd):/usr/src" \
  sonarsource/sonar-scanner-cli
macOS / Windows 
docker run --rm \
  -e SONAR_HOST_URL="http://host.docker.internal:9000" \
  -e SONAR_TOKEN="[SONAR_TOKEN]" \
  -v "$(pwd):/usr/src" \
  sonarsource/sonar-scanner-cli

📌 If the image is not present locally, Docker will download it automatically.

View Results

Once the scan finishes, access the results at:

http://localhost:9000
From the project dashboard you can review:

  • Bugs
  • Vulnerabilities
  • Code Smells
  • Security Hotspots
  • Coverage and maintainability metrics

Best Practices

  • Use sonar.token ( sonar.login is deprecated )
  • Avoid committing tokens to version control
  • Tokens do not expire; revoke them if compromised
  • Suitable for CI/CD integration
  • For production usage, consider persistent volumes and an external database

Troubleshooting

Scanner cannot connect to SonarQube

  • Ensure SonarQube finished starting
  • Verify correct host URL for your OS
  • Confirm port 9000 is accessible

No issues detected

  • Check sonar.sources
  • Review exclusion patterns
  • Verify language and version settings