Hi @oocx and welcome to our community. While I cannot answer to the question about docker, I can answer about the .NET analysis.
Our .NET analyzer is a Roslyn analyzer, so it acts like a plugin during the compilation (i.e. build). Normally you can install Roslyn analyzers as Nugets (or from within the IDE for specific projects) or reference them directly in the PROJ files, however that’s not an out-of-the-box experience - you need to modify your project configuration manually.
Moreover, the analysis needs to take into account the SonarQube configuration - custom Quality Profiles or project-level settings configured in SQ. And this needs to be done before the build (and analysis) begins.
To fix these two problems (inject the analyzers before the build and take into account SonarQube configuration), the BEGIN step is used which:
- downloads the analyzers from SQ/SC and installs them locally in a cache
- creates a .ruleset file based on the Quality Profiles of SonarQube
- puts a target file in the ImportBefore folder which tells MSBuild to use the sonar-dotnet analyzers (from the local cache) and passes the rule configuration to the analysis
Then during the build our Roslyn analyzers get invoked by the Roslyn compiler framework and create the analysis output, which during the END step is read and sent to SonarQube. Also, the END step does the clean-up of the target file added in the BEGIN step. The END step actually invokes the common scanner-cli which is used by all our plugins to communicate with SonarQube.