Monorepo scanning - best practice

We are using a monorepo for our Application with the following:

├─┬ backend             → module with Spring Boot code
│ ├── src
│ └── pom.xml
├─┬ b2b                 → module with Spring Boot code
│ ├── src
│ └── pom.xml
├─┬ common-services     → module with Spring Boot code
│ ├── src
│ └── pom.xml
├─┬ frontend            → module with Vue.js code
│ ├── src
│ └── pom.xml
└── pom.xml             → Maven parent pom managing child modules

When our CI-CD triggers it will trigger a separate job for each module and will run the scanner command below. Will this have any negative consequences? I.E if 2 sonar scans go through on the same branch for 2 different modules scanning different source files? I see some ‘weirdness’ in the project currently (for instance the code tab doesn’t show all the modules code and only seems to show the code from the last scanned module).

Essentially, I want to see the accumulated results of all the modules which I scan for the specific branch.

  • ALM used:
  • CI system used:
    GitHub Actions
  • Scanner command used:
    mvn -pl MODULE_NAME -am verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
  • Languages of the repository:
    Java & JavaScript/TypeScript/HTML

Hey there.

When the same project key is being used across multiple analyses, the last analysis will always rewrite what came before. This is fine when you’re analyzing the same code, but not when you’re analyzing different code.

You’ll be best off following the instructions to analyze a monorepo and have separate project keys passed to each mvn sonar:sonar command.

mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=colin-mueller-sonarsource_testmonorepo_1

This does mean 4 different SonarCloud projects (and no way to aggregate it into one) unless you forego all of this and just analyze the top level pom.xml, which I suppose would defeat the purpose of your CI/CD pipeline building each module individually.

Hi @Colin ,

Ok, that makes sense, I will configure all my modules to have separate projects.
Another thing, I have a common-services module which 2 of my other modules depend on.
I would like to scan this only once, is there an easy way to include that in one of my modules settings?

So essentially, when I scan my ‘backend’ module I also want it to include the sources and scan the ‘common-services’ module.