Analyze .NET code when build server doesn't have access to SonarQube

System information:

  • SonarQube (on-prem, not available from the Cloud): (Enterprise Edition)
  • Azure DevOps project (Cloud) with SonarQube extension
  • .NET 4.7 codebase (Sonar MSBuild scanner)


  • Use SonarQube in an Azure pipeline where .NET build & test can only be done on a machine with no access to SonarQube


  • Install an Azure DevOps agent on a VM in the protected network (with access to SonarQube)
  • Multi-agent Azure pipeline
    • Agent A: Build & test .NET code
    • Agent B: Analyze code and push results to SonarQube
  • Files can be shared between Agents as build artifacts


  • SonarQube extension prepare task calls SonarQube instance so it must run on Agent B but this task does change several parts of the system (environment variable, SDK files) that are tricky to reproduce manually on Agent A before building and testing .NET code

Is there a clean/easy way to do this?

Hey there.

Most of the analysis occurs during the build phase (it’s where the roslyn analysers are executed that generate the SonarQube issues) which means SonarQube must be accessible to the agent running the build. Sorry :confused: