Sonarqube and Salesforce Code Analyser with SARIF report

SonarQube Community Build 25.5.0.107428
SonarScanner CLI 7.1.0.4889

We have a Salesforce application and using the Salesforce Code Analyser to analyse Apex and LWC (js) code
The analyser outputs a SARIF report that we import into SonarQube
The community edition of Sonarqube does not support Apex and LWC so we are utilising an external scanner for the code analyzing. The SonarScanner thinks the files are Java files and treats the accordingly.

Now the SonarScanner also scans the code and to prevent this we excludes the code with the sonar.exclusions property

We have Quality Gates in place and for a PR it fails because of the quality gate since there are too many issues
If I do not exclude the Apex files I get issues and if I do exclude Apex files everything works fine because the SonarScanner skips the Apex files and does not report any issues

However the Salesforce Code Analyser reports on the issues in the SARIF report but it seems it does not work with the Quality Gates.

The target is to use only the Salesforce Code Analyser to analyse the code and not use the SonarScanner at all since it does not know about Salesforce code.

Is this possible ?

Hi,

Community Build doesn’t support PR analysis. Not sure what to tell you here.

 
Ann

We are doing PR analysis and it works ok with this plugin, GitHub - mc1arke/sonarqube-community-branch-plugin: A plugin that allows branch analysis and pull request decoration in the Community version of Sonarqube

The issue is that we would like to only use the external Salesforce Code analyzer to scan the code and import the result into Sonarqube
Currently the CLI scans the code ALSO and it does not support Salesforce code (apex, lwc)

Hi,

Community Build doesn’t support PR analysis. If you’re using that plugin, you’ll need to ask its maintainers for help. Or you can upgrade to Developer Edition($).

 
Ann