Need to understand how scanning is done

We are using current version of SonarQube Dev edition.
I’m thinking about how we provide evidence of security compliance, fo example we have some rules to detect keys/tokens in code.

I assume that updates to code will get scanned. But my questions are:

  1. Is a baseline established (so keys/tokens are found in existing code)?
  2. Assuming only changes are scanned, is it possible to re-scan the project? Like if a new rule is added or an existing one changed?

Make sense?

The first time you scan master you will see all existing issues. If you set the New Code Period to the version of that scan then subsequent scans of master will only show new issues in the code in master.

Scans for branches, absent any specific configuration to the contrary, will show only new issues since the inception of the branch.


Welcome to the community @Scott_Chapman!

To augment Richard’s excellent answer, by default your entire code base is analyzed every time. (For PRs only issues on new code are reported.) So every time you analyze you are “re-scan[ning] the project”


1 Like

Thanks, I appreciate the response!

I think I get it, so everything is always scanned, but presentation will filter to show what is relevant (specific to a branch/PR for example). That right?

So, if I were to add a new rule, or change an existing rule, I would see that immediately when any new scan is done and update the issues appropriately?


When you add a new rule, the issues it raised on old code in the first subsequent analysis are backdated. Here are the docs on that.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.