Hi community,
We are using SonarQube Cloud and have a specific question about analyzing our API specification files.
In our repositories, we have openapi.yaml files alongside our source code (e.g., apiproxy). I’ve noticed that while the source code is analyzed correctly, the openapi.yaml file itself doesn’t seem to be scanned for OpenAPI-specific vulnerabilities, design bugs, or code smells.
I know that on self-hosted SonarQube Server (Community/Data Center) versions, it’s possible to install third-party plugins (like the sonar-openapi-plugin) which add these rules and analyze the API specification in depth.
Since we cannot install custom plugins on SonarQube Cloud, my question is:
-
Has native support for analyzing OpenAPI specification files (YAML or JSON) been added to SonarQube Cloud recently?
-
If it’s not native, what is the official or SonarSource-recommended way to achieve this analysis in SonarQube Cloud?
I have read that one possible solution is to use an external linter (like Spectral) in our CI/CD pipeline, generate a report in the “Generic Issue Data” format, and then import it into SonarQube Cloud using the sonar.externalIssuesReportPaths property.
Is this still the only recommended approach, or is there a more integrated solution available now or planned for the future?
Thank you for your guidance.
Best regards.
