For accurate branch analysis, do I need to run a scan twice each time I accept a PR?

I am trying to analyze a C++ project with the following set up:

  • Enterprise Edition Version 8.9.3 (build 48735)
  • sonar-scanner-cli-

This is a generic question on how to best set up SonarQube. A have a typical project, where developers take forks of a main repo and make pull requests from their forks onto the main. I understand that SonarQube will compare the “new code” in their pull requests compared to the master branch on the main repo, and can pass or fail the PR based on newly introduced vulnerabilities or code coverage %age. However, does a separate job need to be set up to constantly be scanning the main repo, in order for the PR analysis to be accurate?

To demonstrate what I mean: say I run a Sonar scan directly on the main repo branch and it shows I have 90% coverage. Now say I have branch analysis configured and merge a PR which should boost my overall coverage to 95%. However, SonarQube doesn’t seem to know that that PR is merged, and continues to show 90% overall coverage until another scan on the main repo branch is run. Does this mean for an accurate SonarQube set up for a repo that accepts pull requests, the main repo branch needs to be scanned first, and THEN run another scan for the branch analysis itself? Essentially running twice for every PR?


You’re on 8.9.3 (note that the latest version is 8.9.10 with the new LTS 9.9 due on 7 Feb). We did some work on the 9 series on improving detection of new code - related to rebasing the feature branch on main IIRC. If you’re not rebasing your feature branches, you’re probably okay without it, but FYI.

Uhm, yeah. That’s the way it works. You have to reanalyze so SonarQube can see the latest state of your code.

No. Just analyze after every commit - that’s kinda our underlying assumption - and you should be good.