Is using a Roslyn plug-in to provide a ruleset for SonarQube a recommended way of use?

Hello SonarQube Community!

I’m evaluating version 8 of SonarQube at this moment, to specifically test the security related checks. I’ve spoken to a couple of developers about the way they deploy SonarQube. For certain projects, they explained they were using a Roslyn plug-in to communicate a custom ruleset (not focused on security) to SonarQube, before the analysis starts.

At first this seems quite devious to me, as they are not (directly) using the built-in rules of the Sonar Way quality profiles. In your opinion, is this an actual proper and valid way to deploy SonarQube effectively?

Thank you in advance for your reply.


Hi Mitchell,

Is it valid? For their use cases, I guess so…? Recommended? Not by SonarSource. :wink:

In fact, we’ve worked hard to provide significant value in our C# analyzer (your mention of Roslyn makes me assume C#) so at a minimum, you’re throwing that away if you use only external rules.

In my opinion, you’re best served by using the built-in rules that work for you before both

  • adding in the external rules that cover what you feel is missing
  • telling us what those missing rules are so we can maybe get them built-in for you.