Sonar Scanner For MS Build .Net Core from inside Docker - Pull request analyzed but NOT decorated/completed

  • ALM used : Azure DevOps
  • CI system used : Azure DevOps

RUN dotnet sonarscanner begin
/k:{SONAR_PROJECT_KEY} \ /o:assurecare \ /{SONAR_URL}
/d:sonar.login={SONAR_TOKEN} \ /d:projectVersion='{APP_VERSION}.{APP_BUILD}' \ /d:sonar.pullrequest.key={PR_NUMBER}

Running the scanner from the container, it does scan but I cannot get the PR is not update. I do see a warning in the UI
SCM provider autodetection failed. Please use “sonar.scm.provider” to define SCM of your project, or disable the SCM Sensor in the project settings.

I have researched this and tried several things to no avail.

Thanks for any any advice.

Hi @allanlogan and welcome to the community !

This behavior is normal as long as you don’t checkout your repo inside the container, because we are relying on some folder (for instance : .git) to automatically detect the SCM provider.

Have you tested by deactivating it directly ?


Let us know.


1 Like


  • I am not checking out inside the container.

  • I have read about the auto detection. The .git folder is in the src folder that is COPY’ed to the container.

  • Yes I have tried setting .scm.enabled=false. That did not help. I still see the warning. This is the relevant log entries:

Project key: rule-execution-service
INFO: Base dir: /src
INFO: Working dir: /src/.sonarqube/out/.sonar
INFO: Load project settings for component key: ‘rule-execution-service’
INFO: Load project settings for component key: ‘rule-execution-service’ (done) | time=176ms
INFO: Load project branches
INFO: Load project branches (done) | time=149ms
INFO: Load projects for organization ‘assurecare’
INFO: Load projects for organization ‘assurecare’ (done) | time=135ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=144ms
INFO: Load branch configuration
INFO: Load branch configuration (done) | time=4ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=182ms
INFO: Load active rules
INFO: Load active rules (done) | time=4152ms
WARN: SCM provider autodetection failed. Please use “sonar.scm.provider” to define SCM of your project, or disable the SCM Sensor in the project settings.
INFO: Organization key: assurecare
INFO: Pull request 5972 for merge into master from feature/313108-fix-pipeline-yaml
INFO: Indexing files…
INFO: Project configuration:
INFO: Indexing files of module ‘rule-execution-service’
INFO: Base dir: /src/rule-execution-service
INFO: Source paths: Configuration/DatabaseOverride.cs, Configuration/IInRuleSetti…

No SCM system was detected. You can use the ‘sonar.scm.provider’ property to explicitly specify it.
INFO: 9 files had no CPD blocks
INFO: Calculating CPD for 19 files
INFO: CPD calculation finished
INFO: Analysis report generated in 150ms, dir size=154 KB
INFO: Analysis report compressed in 37ms, zip size=46 KB
INFO: Analysis report uploaded in 280ms
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at
INFO: Analysis total time: 11.198 s
INFO: ------------------------------------------------------------------------
INFO: ------------------------------------------------------------------------
INFO: Total time: 1:10.357s
INFO: Final Memory: 29M/124M
INFO: ------------------------------------------------------------------------
The SonarQube Scanner has finished
15:46:31.44 Post-processing succeeded.

  • I looked at the vsts source and saw it seem like ‘vsts’ would be correct so I tried setting the scm.provider=vsts and got this error:
    SCM provider was set to “vsts” but no SCM provider found for this key. Supported SCM providers are hg,git

I also tried

  • Changing the provider to git and I get this error:
    ERROR: Error during SonarQube Scanner execution
    ERROR: Not inside a Git work tree: /src


  1. Shouldn’t I see source code in the UI for the PR branch? I don’t. Does Sonar pull that from the SCM if working correctly?
  2. Is there any logging on the sonar side?

Analysis report generated in 79ms, dir size=154 KB
INFO: Analysis report compressed in 23ms, zip size=46 KB
INFO: Analysis report uploaded in 300ms
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at

Thank you for your help!


Is it possible that for whatever reason, .git is not in /src (inside the container)? Because according to the logs, that’s what seems to be happening.
It would be much better to make sure git metadata is made available to the scanner rather than disabling the SCM since you will have more precise results regarding what files/lines are changed in that pull request.

You probably don’t see any file in the UI for the PR because it’s not detecting any changed file in the P/R. When no SCM is used, SonarQube will compare the files in the P/R with the files in the target branch (master in this case) as seen by SonarQube and this might not be what you see in git.

Please run the scanner with debug enabled - the logs will have more information about how many files are changed.

1 Like

Thank you.

You were correct. The .git was not getting into the container. it was in the .dockerignore file. I made that change and not I no longer see the scm warning and it looks like it finds the files in the PR branch (5 in this case). BUT I still am not getting the gate to update in Azure DevOps. I AM getting the blame data in SonarCloud (I added some smell as a test).

I reset the Azure DevOps access token (again) since that’s the only thing I’ve ever seen previously prevent an update.

Does this update to the PR happen from Sonar Cloud or from the scanner?
Are there any logs that should show an attempt to update it?

Thanks again for any assistance.

Here’s some snippets from the latest log - debug and verbose:

14:19:19.771 DEBUG: SCM reported 5 files changed in the branch

14:19:24.587 INFO: CPD calculation finished
14:19:24.689 INFO: SCM writing changed lines
14:19:24.695 DEBUG: Merge base sha1: 7a23d660c1138a774eaf64f4de053648ed8a540b
14:19:24.715 DEBUG: SCM reported changed lines for 1 file in the branch
14:19:24.716 INFO: SCM writing changed lines (done) | time=27ms
14:19:24.719 INFO: Analysis report generated in 129ms, dir size=155 KB
14:19:24.751 INFO: Analysis report compressed in 32ms, zip size=47 KB
14:19:24.752 INFO: Analysis report generated in /src/.sonarqube/out/.sonar/scanner-report
14:19:24.753 DEBUG: Upload report
14:19:25.038 DEBUG: POST 200 | time=284ms
14:19:25.041 INFO: Analysis report uploaded in 288ms
14:19:25.042 INFO: ANALYSIS SUCCESSFUL, you can browse
14:19:25.042 INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
14:19:25.042 INFO: More about the report processing at
14:19:25.043 DEBUG: Report metadata written to /src/.sonarqube/out/.sonar/report-task.txt
14:19:25.046 DEBUG: Post-jobs :
14:19:25.048 INFO: Analysis total time: 10.815 s
14:19:25.051 INFO: ------------------------------------------------------------------------
14:19:25.051 INFO: ------------------------------------------------------------------------
14:19:25.051 INFO: Total time: 33.759s
14:19:25.215 INFO: Final Memory: 33M/231M
14:19:25.215 INFO: ------------------------------------------------------------------------
Process returned exit code 0
The SonarQube Scanner has finished


Do you see any warning on the top right corner of the PR page on SonarCloud ?

You can find as well proper context of the corresponding background task (in the Background Tasks page)


Thanks Mickaël
There no warnings on the top right. There was but no longer see the SCM after adding the .git folder to the container.

Looking at the context it seem ok.
Question: sonar.projectBaseDir=/src and other places that reference src… This folder only exists in the container, not in source control. Does that matter?

Thanks again!

SonarQube plugins:

  • SonarCSS (cssfamily)
  • SonarPLSQL (plsql)
  • SonarScala (sonarscala)
  • SonarC# (csharp)
  • Vulnerability Analysis (security)
  • SonarJava (java)
  • SonarHTML (web)
  • SonarFlex (flex)
  • SonarXML (xml)
  • SonarTS (typescript)
  • SonarVB (vbnet)
  • SonarSwift (swift)
  • SonarCFamily (cpp)
  • SonarPython (python)
  • JaCoCo (jacoco)
  • Mercurial 1.1.2 (scmmercurial)
  • SonarGo (go)
  • SonarKotlin (kotlin)
  • SonarTSQL (tsql)
  • SonarApex (sonarapex)
  • SonarJS (javascript)
  • SonarRuby (ruby)
  • Vulnerability Rules for C# (securitycsharpfrontend)
  • Vulnerability Rules for Java (securityjavafrontend)
  • License for SonarLint (license)
  • SonarCOBOL (cobol)
  • Git (scmgit)
  • SonarPHP (php)
  • SonarABAP (abap)
  • Vulnerability Rules for PHP (securityphpfrontend)
    Global server settings:
  • email.fromName=SonarCloud
  • email.prefix=[SonarCloud]
  • sonar.auth.bitbucket.enabled=true
  • sonar.core.serverBaseURL=
  • sonar.core.startTime=2019-11-06T08:29:18+0100
  • sonar.cpd.cross_project=false
  • sonar.dbcleaner.weeksBeforeDeletingAllSnapshots=480
  • sonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByMonth=4
  • sonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByWeek=1
  • sonar.leak.period=30
  • sonar.lf.enableGravatar=true
  • sonar.lf.logoWidthPx=105
  • sonar.organizations.anyoneCanCreate=true
  • sonar.organizations.createPersonalOrg=true
  • sonar.plsql.file.suffixes=sql,tab,pkb
  • sonar.tsql.file.suffixes=.tsql
    Project server settings:
  • sonar.pullrequest.provider=Azure DevOps Services
  • sonar.pullrequest.vsts.token.secured=******
    Project scanner properties:
  • sonar.coverage.exclusions=*Tests.cs
  • sonar.cs.nunit.reportsPaths=app/*.xml
  • sonar.cs.opencover.reportsPaths=coverage.opencover.xml
  • sonar.log.level=DEBUG
  • sonar.login=******
  • sonar.modules=3F817139-6E09-4C0D-955B-397F975623ED,EDCE484F-E966-497C-8953-2437A31DD827
  • sonar.organization=assurecare
  • sonar.projectBaseDir=/src
  • sonar.projectKey=rule-execution-service
  • sonar.pullrequest.branch=feature/313108-add-sonarscanner-to-rule-execution-service
  • sonar.pullrequest.key=6255
  • sonar.scanAllFiles=true
  • sonar.scanner.appVersion=
  • sonar.sourceEncoding=US-ASCII
  • sonar.verbose=true
  • sonar.visualstudio.enable=false
    Scanner properties of module: rule-execution-service:rule-execution-service:3F817139-6E09-4C0D-955B-397F975623ED
  • sonar.cs.analyzer.projectOutPath=/src/.sonarqube/out/0
  • sonar.cs.analyzer.projectOutPaths="/src/.sonarqube/out/0"
  • sonar.cs.roslyn.reportFilePath=/app/rule-execution-service.dll.RoslynCA.json
  • sonar.cs.roslyn.reportFilePaths="/app/rule-execution-service.dll.RoslynCA.json"
  • sonar.moduleKey=rule-execution-service:rule-execution-service:3F817139-6E09-4C0D-955B-397F975623ED
  • sonar.projectBaseDir=/src/rule-execution-service
  • sonar.projectKey=rule-execution-service:rule-execution-service:3F817139-6E09-4C0D-955B-397F975623ED
  • sonar.projectName=rule-execution-service
  • sonar.sourceEncoding=utf-8
  • sonar.sources="/src/rule-execution-service/Configuration/DatabaseOverride.cs","/src/rule-execution-service/Configuration/IInRuleSettings.cs","/src/rule-execution-service/Configuration/InRuleSettings.cs","/src/rule-execution-service/Configuration/ISystemSettings.cs","/src/rule-execution-service/Configuration/Logging.cs","/src/rule-execution-service/Configuration/RestServiceOverride.cs","/src/rule-execution-service/Configuration/RuleAppMapping.cs","/src/rule-execution-service/Configuration/RuleApps.cs","/src/rule-execution-service/Configuration/SystemSettings.cs","/src/rule-execution-service/Controllers/ExecutionController.cs","/src/rule-execution-service/Controllers/HealthController.cs","/src/rule-execution-service/ExecutionMode.cs","/src/rule-execution-service/Extensions/RuleSessionExtensions.cs","/src/rule-execution-service/Model/Dto/ApplyRulesRequest.cs","/src/rule-execution-service/Model/Dto/ChangeSetEntry.cs","/src/rule-execution-service/Model/Dto/ExecuteRulesRequest.cs","/src/rule-execution-…
    Scanner properties of module: rule-execution-service:rule-execution-service:EDCE484F-E966-497C-8953-2437A31DD827
  • sonar.cs.analyzer.projectOutPath=/src/.sonarqube/out/1
  • sonar.cs.analyzer.projectOutPaths="/src/.sonarqube/out/1"
  • sonar.cs.roslyn.reportFilePath=/app/rule-execution-service.Tests.dll.RoslynCA.json
  • sonar.cs.roslyn.reportFilePaths="/app/rule-execution-service.Tests.dll.RoslynCA.json"
  • sonar.moduleKey=rule-execution-service:rule-execution-service:EDCE484F-E966-497C-8953-2437A31DD827
  • sonar.projectBaseDir=/src/rule-execution-service.Tests
  • sonar.projectKey=rule-execution-service:rule-execution-service:EDCE484F-E966-497C-8953-2437A31DD827
  • sonar.projectName=rule-execution-service.Tests
  • sonar.sourceEncoding=utf-8
  • sonar.sources=
  • sonar.tests="/src/rule-execution-service.Tests/ExecutionServiceTests.cs","/src/rule-execution-service.Tests/HealthServiceTests.cs","/src/rule-execution-service.Tests/RepositoryServiceTests.cs"


Do you get any comment from SonarCloud on your PR ? You said that you don’t get any Quality Gate, but i’m not sure about the comments.


No. Nothing is on the PR.
In this image you can see the commit where I added some extra usings to cause some issues. Those issues DID show up in Sonar Cloud (see previous post) but nothing on the PR.

Would there be any logging in Azure DevOps that you know of? We are so close. Thanks again. I appreciate it

Do you set manually somewhere this property ? sonar.pullrequest.provider

No Sir, I tried a few times and got different SCM errors. But after getting the .git folder into the container I see that the provider is set to sonar.pullrequest.provider=Azure DevOps Services based on the context you directed me to.

I only set these:
dotnet sonarscanner begin
/k:{SONAR_PROJECT_KEY} \ /o:assurecare \ /{SONAR_URL}
/d:sonar.login={SONAR_TOKEN} \ /d:projectVersion='{APP_VERSION}.{APP_BUILD}' \ /d:sonar.pullrequest.key={PR_NUMBER}
/d:sonar.pullrequest.branch=${PR_BRANCH} \
/d:sonar.log.level=DEBUG; \


Ok, so then can you try again by setting it to ‘vsts’ instead of Azure DevOps Serivce ?

Something like this : /d:sonar.pullrequest.provider=vsts

I’ll have a look at which component set this value.

Thanks !


This is now working! I got the decoration and the quality gate. I had to add the following (including provider):

/d:sonar.pullrequest.vsts.repository=“rxxxxxxx” \

Would you expect that these would need to be set? They are not documented so I am curious. I got them from a working context.

Thank you. I really appreciate the help!

You are right, we are populating these values from the Azure DevOps extension, but not with direct call to the Scanner for MSBuild indeed. We will update our documentation with those parameters.

Thank you !