The configuration file for the scanner should be at the root of your source code repository.
one possible workflow could be like this:
user commits to SCM → CI/CD pipeline starts to build and test → during this run the sonar scanner is triggered → the scanner looks for issues in the code and reports the findings to your sonarqube instance → depending on the code and the quality gate the pipeline step will pass or fail and report back to the SCM to let the developer know.
as there are properties used by the scanner that don’t change much like the
sonar.projectKey, they can be stored in the SCM as well to ease the configuration of your CI/CD pipeline (treat the
sonar.login as a secret thou). This is optional btw. as you can see from the command in the setup wizzard, you can also just pass them via parameters every time.