How to scan only a few files with SonarQube

We want to be able to scan only a few files with SonarQube. Our goal is to scan a select few files whenever checking in code changes. Also, what would be the ideal way to do these tiny scans on each developers machine noting that we have our SonarQube server that scans every night? Will each developer have to have SonarQube installed? Will each developer need a SonarQube SQL database or can the results output to an ASCII text file, or perhaps the results can be scanned and uploaded to a remote SQL database where our server is running?

For reference, our scan commands on the server:

  1. C:\work\sonar\SonarScanner.MSBuild.exe begin /k:MyProject /d:sonar.host.url=http://salamander.com:9000 /d:sonar.login= /d:sonar.cfamily.build-wrapper-output=bw_output

  2. C:\work\sonarWrapper\build-wrapper-win-x86-64.exe --out-dir “bw_output”

  3. C:\work\sonar\SonarScanner.MSBuild.exe end /k:MyProject /d:sonar.login=

Josh,

Using file inclusion/exclusion patterns are a good bet, and those are best set through the Project Administration UI (they’re kind of hard to set in a sonar-project.properties file, since it’s a multi-line setting). Here’s a good article about Narrowing the Focus.

If you use a supported IDE, SonarLint is the best way for developers to get feedback on their code before it’s committed anywhere. That said, since you are using the CFamily plugin and are running on your own instance of SonarQube, I’m assuming you’re utilizing the Developer Edition or above, in which case you have access to Branch Analysis. That might also solve for developers checking their code before it’s merged into the main branch.

Colin

2 Likes

Colin,

Thanks for the response. I looked through that article, but I’m also not a command-line guy. Could you please provide an example of using the inclusion to scan two files at the command-line?

Need to make sure there’s no misunderstanding here.

Is your intent to have SonarQube results updated with the results of these ‘tiny’ scans ? i.e. full scan of the project overnight , and then delta updates over day ?

(SonarQube is not designed to be used as such, but before I go in the explanations for that, I want to make sure that’s your intent)

Or is the use-case to have developers get quality feedback on their code while they’re implementing it ? If so SonarLint, branch analysis, Pull Request analysis are what you need to focus on indeed.

(ultimately @Colin mention of inclusion/exclusion patterns is indeed an answer to ‘scan only a few files’; however I feel like it doesn’t relate to your actual use-case here, which really needs to be clarified)

~1.5 years later: This capability is of significant interest to us, and IDE extensions helps but does not fully resolve our issues in CI/CD pipelines.

We want the extra capabilities sonar scanning provides, but we already know what files changed between our builds. We want a mechanism to inform the Sonar analysis of these file changes rather than the scanner taking time to do full scans to duplicate the information we’re already trying to convey. This is especially useful for providing the quality gates at each incremental build in the shortest amount of time.

What can we do to synchronize what we know about what files changed to avoid having to re-scan unchanged files for analysis that does not need re-scanning (Note: There is an obvious exception for things like code duplication)?

In other words, how much control can you give us for a revised “incremental” or ‘makefile-inspired’ change-set? Note: We look at all these files as a ‘codebase’ with a lot of shared files, which of course has a dependency.