Azure Pipeline Task SonarQubePrepare@6 looking for online resources

Must-share information (formatted with Markdown):

  • SonarQube 10.5, SonarQube Extension 6.0.0,
  • how is SonarQube deployed via zip
  • Upgrading from Extension 5.20 to 6.0
  • what have you tried so far to achieve this

I am not sure if this is the correct place to post this.
I have recently upgraded my SonarQube Extension to 6.0 and tried to update my yml pipelines files to use the v6 of the task.
I only change the @5 to @6 for the various task involved.
At the SonarQubePrepare task, I get an error that it is searching for a GitHub resource.
The problem for me is that my network is on-premise and not connected to the internet.
Was there some major change to cause this to happen?

Thanks for the advice in advance.

Hey there.

Yes – v6 of the tasks now download the scanner from GitHub. This was done for a few reasons:

  • No longer require a new release of the Scanner for Azure DevOps to allow users to use the newest version of the scanner
  • When there’s a bug in the newest version of the scanner, make it easy for users to revert to an older version without having to release a new version of the task

And as far as I’m aware there was supposed to be a helpful message to tell you what to do in case you don’t have access to the internet… :thinking: I’m following up on that.


With the newest update to the Azure DevOps SonarQube extension, the scanner binaries are no longer embedded, and instead have to be downloaded over the Internet, requiring access to both – and the entire
This latter requirement is proving to be very difficult, if not downright impossible, in our setup with highly limited Internet access. We cannot have open access to the entirety of GitHub.

So I ask

  1. Are you able to narrow this requirement down at all? Say down to a certain github organization or a list of endpoints that are actually needed.
  2. If not, are we able to download the relevant scanner binaries to our VMs ourselves so that they are available locally there and do not need to be downloaded over the public Internet?

Our setup, should it matter

  • SonarQube Self-hosted Developer Edition v9.9.5 (zip)
  • Azure DevOps services + self-hosted Windows agents

Hey all.

We believe we can improve this sooner rather than later with VSTS-385, and for now recommend using v5 of the tasks in offline environments.

That’s good to hear. I’m just hoping all resources that needs to be downloaded from the internet either be embedded or some how be kept in a folder like what Azure DevOps Server has done for updating on-prem agents.

thanks for this answer!
I wasn’t aware of this at all and suddenly faced with this unclear error message last week.

Might it be an option to add a configuration possibility to have control over the download location?
For example, we allow access from our build agents to our Artifactory instance and some pipelines already retrieve the sonar scanners from there (Artifactory basically acting as a “proxy”).

Would be great to have this, since I definitely like the idea of having control over the scanner version without having to change the extension version and also having a more lightweight extension.

Thanks for your great work!

Hi Colin,

Thanks for the update. I can now see the status of the issue is changed from Open to In Progress.

Can you give a date when you expecting the new task?

Assuming no blockers, it will probably be next week or the week after. Please come make some noise if we haven’t gotten it together by mid-july. :slight_smile:

Wiil do :wink:

Thanks for the update…

Hi @Colin,
Saw the release for SonarQube extension 6.2.0.
Is this the one that will work for us or there is another version in the pipeline?

Yes, v6.2 includes a fix for VSTS-385 . :slight_smile:

Ping @cabu

1 Like

What about my suggestion to have the possibility to override the scanner location?
Just whitelisting GitHub is probably not an option for us and we already have an Artifactory proxy to Maybe even a local path could be sufficient after deploying the scanners to the build agents.

Hey @JuMi

We’ll keep our ears open for more similar feedback, but right now that’s not planned.