How does sonar scm analysis work?

sonardroid · December 8, 2025, 11:35am

Hi there,

I’m using sonar-scanner cli 7.2.0.5079. This is being used to analyze Gitlab merge requests on CI with merged result pipelines enabled. For example; Merged results pipelines | GitLab Docs. We’ve noticed that the SCM analysis often identifies the incorrect merge-base in this setup. This also changes on subsequent retries of the same pipeline.

I came across No merge base found between HEAD and refs/heads/master for PR analysis - #2 by ganncamp which talks about the merged result pipelines being a probable cause for it. But does not go into much detail.

Can someone help me understand the root cause of this. And what can be ways to solve this.

sonardroid · December 9, 2025, 3:50am

Hi again,

So looks like SonarCloud finds files that are not related to a Pull Requests as "new code" - #32 by Michael_Carter was a solution that worked for us too.

I’m still looking to understand

Why does sonar-scanner prefer refs/heads/development over refs/remotes/origin/development . In a CI environment, the local reference for a branch would always be stale unless that is explcitiyl checked out.
What impact could the gitlab merge commit have on finding the correct merge base.

ganncamp · December 9, 2025, 2:19pm

Hi,

Analysis works from the SCM metadata in the analysis environment. refs/remotes/origin/development is not in the local environment, so it’s not available to analysis.

Analysis works on the code in the local environment. If there are changes subsequent to checkout, then you’re not analyzing what you think you are.

HTH,
Ann

sonardroid · December 10, 2025, 11:50am

Hi Ann,

Thank you for the details. Could there also be issues due to using a temporary commit that merges the source and target branches to verify issues. ?

For example the Merged results pipelines | GitLab Docs pipelines

ganncamp · December 10, 2025, 1:36pm

Hi,

Yes, absolutely. Don’t do a merge commit before analysis. I’ve forgotten the details, but it will screw things up.

Ann

sonardroid · December 11, 2025, 3:43pm

Hi Ann,

Is there any chance you can also provide the details for this? I’m happy to refer any documentation/code that talks about this too.

We depend on merged pipelines since that helps us avoid a lot nasty scenarios that would come up in case we were to merge based on individual branch builds and tests and I wanted to understand why the opposite would be true for running sonar analysis.

Thanks

ganncamp · December 11, 2025, 3:55pm

Hi,

I don’t have the details readily to hand. I can put this in queue for someone who might, but it may be a long wait.

In the meantime, I urge you to consider running analysis before your merge commit.

Ann

Topic		Replies	Views
No merge base found between HEAD and refs/heads/master for PR analysis SonarQube Server / Community Build sonarqube , scanner , pull-request , cfamily , new_code	1	3510	August 10, 2023
Sonar-scanner flagging unrelated issues in Github PR analysis SonarQube Cloud	1	49	October 24, 2024
Sonar Scanning Whole Project on Merge / Pull Request SonarQube Cloud scanner , bump	17	690	June 21, 2024
Understanding SCM Sensor in GitLab Merge Request (Pull Request) SonarQube Cloud scanner , scm	3	794	September 21, 2023
SonarCloud finds files that are not related to a Pull Requests as "new code" SonarQube Cloud coverage	19	1802	April 6, 2023

How does sonar scm analysis work?

Related topics