In PR Validation i want to scan only the Changed file

SonarQube Server / Community Build
1

we have sonarqube enterprese edition server and repo is in azure devops cloud. In PR validation pipeline i just want scan onle files changed in that PR. Azure devops pipeline run in seld hosted agent.

2

Hey there.

What version of SonarQube Server are you using? This information is requested in template post, and can be found in the footer of your instance.

3

  • Enterprise Edition

  • v2025.5 (113872)

How can i log a support ticket?

4

If you have access to Support, you should have been given instructions for logging into the support portal. Otherwise, you get this Community!

This should be the default behavior. What are you seeing instead? Screenshots, logs are all very helpful here!

6

12_Run Code Analysis.txt (358.6 KB) please find the log

7

image
image980×286 13.2 KB

this is screenshot of support tab,i don’t know what to do.

8

Hey @bairagi

That means your instance doesn’t have access to commercial support.

Your logs show that analysis is pretty fast (and makes use of caching) up to the in-depth security analysis.

2025-11-25T15:09:06.3975653Z 16:09:06.397  INFO: Sensor CSharpSecuritySensor [security]
2025-11-25T15:09:06.3978390Z 16:09:06.397  INFO: 27 taint analysis rules enabled.
2025-11-25T15:09:15.9241853Z 16:09:15.922  INFO: Analyzing 152933 UCFGs to detect vulnerabilities.
....
2025-11-25T15:44:34.0481408Z 16:44:34.018  INFO: Sensor CSharpSecuritySensor [security] (done) | time=2127621ms

Unfortunately, this security analysis doesn’t make use of caching, and there’s no way around that for now (it might change in the future). The only way to avoid this entirely would be to turn off oslyn.sonaranalyzer.security.cs rules in your Quality Profile. :confused:

9

Hi Colin,
Genarally the scaning time was 30-40 mins , suddenly the time increase to 80-90 mins.Can you please help on this.Basically UCFGs taking too much time. i have added the logs .also

scan log.txt (203.3 KB)

10

Hi,

Are you still running 2025.5? November was a long time ago and there’s a new LTA out: 2026.1. Can you upgrade and see if this is still a problem?

 
Thx,
Ann

11

we have already updated to the latest version 2026.1.But still the issue is there.

14

Hi,

Thanks for confirming that. I’ve flagged this for the team.

 
Ann

15

Hey @bairagi,

thanks for reaching out. The taint analysis team will try to reproduce the issue in order to take a closer look, to do that we need some more information:

  • Is the project, that you are analyzing, open-source by any chance?
    • If not, are you willing to share the generated UCFG directory (see <projectDir>/.sonarqube/out/ucfg2/cs) with us (or only me - privately)?
  • Do you know when the time increase appeared for the first time?
    (A version or an approximate date would help - if more accurate than the thread’s creation date :wink:)

Looking forward to more information! :slightly_smiling_face:

Cheers
Felix

16

Hi Felix,

The scan time increase is happed suddenly ,there is no such change in the set up. only the regular code changes.I will discuss with the dev team about the UCFG and will update you.

17

Hi felix,

How can i share with you privately?

19

Pinged you in a private thread :slightly_smiling_face:

20

Hey,

thanks again for sharing the details (UCFGs). :blush:

could take some time to look into it today. Reproduction was successful:

  • The security analysis took ~61 minutes for you (extracted from shared log), and on our side it took ~57 minutes which is pretty similar.
    • There were no salience, e.g., individual steps that took unusually long.
  • All candidates (e.g., added analysis config, new rules, …) in mind causing the time increase have been excluded.
  • Lastly, I tried to provide more memory to the analysis (your log shows INFO: csharp security sensor peak memory: 12355 MB), but this did not reduce analysis time significantly although it used more (csharp security sensor peak memory: 44994 MB).

This leaves me with no more options then reaching out to my squad mates and discuss if they have something else in mind that I could check.

Please note, that we steadily improve our analyses, i.e., it can happen that our analyses become more accurate which comes at a cost - we are striving to keep these cost (e.g., in terms of analysis time) as low as possible.

On the bright side :sun:, we are currently working on an approach, that will allow us to analyze only files that have changed. This will bring speed improvements in the future.

I will come back to this thread if more information become available.

Cheers
Felix