SonarQube Quality gate on new code. Fails on first attempt. Succeeds on second attempt

Must-share information (formatted with Markdown):

• SonarQube Server v2025.4.2 (112048)
• deployed as zip
• expected consistent quality gate result

Our quality gate is for New-Code only.

Our project has multiple branches.

We have defined the new code as follows:

1. develop, our main branch as the reference branch
2. For develop, our main branch, we have selected Previous version as the baseline

What are we facing?

1. During the first run, the quality gate fails.
2. During the re-run of the same code, the quality gate is passed.

Edit 1:
Command to scan:
docker run --rm -t --name “Name” -v “CodePath” sonarsource/sonar-scanner-cli -Dsonar.host.url=“https://URL/” -Dsonar.projectKey=${bamboo.sonar.Key} -Dsonar.token=“${bamboo.sonar.ent.secret.token}” -Dsonar.projectVersion=${bamboo.version.assemblyVersion} -Dsonar.coverage.exclusions=“${bamboo.sonar.Exclusions}” -Dsonar.branch.name=${bamboo.planRepository.1.branchName} -Dsonar.qualitygate.wait=true -Dsonar.exclusions=“${bamboo.sonar.Exclusions}”

Hi,

Welcome to the community!

This means that every time the sonar.projectVersion string changes, you’re resetting what’s considered new.

At a guess, the assemblyVersion is different with each build? That would reset the new code with each analysis and explain what you’re seeing.

 
HTH,
Ann

Sorry, but when we are re-running that step, nothing changes.
I removed the projectVersion and still facing the issue.

Hi,

To be clear, when you re-run the step, exactly the same bamboo.version.assemblyVersion is used?

By removing that analysis property, you defaulted it, I believe to “Not provided”, thus resetting the “new code” once again.

What happens when you run it the second time with no sonar.projectVersion (i.e. the default) value?

 
Ann

The assembly version remains the same. The assembly version is set during build and remains constant.

After removing projectVersion, I had the same scenario for a new branch.

Hi,

To be clear, you ran two successive analyses with no sonar.projectVersion (so, the default value), and you saw issues that were “new” for the first analysis get moved out of “new” for the second one?

Could I have a screenshot of the left column of your Activity tab, redacted as necessary?

 
Thx,
Ann

Hi,

Yes, you are getting it right.

Please fidn the snapshots below:

image1087×693 41.3 KB

image431×403 21.3 KB

Hi,

Thanks for the screenshots. They’re very helpful, particularly the one I didn’t ask for () that shows a QG change with no issue change (and no version change).

I had assumed that something would jump out at me from your screenshot, but nothing does.

Do you still have access to the analysis logs from those last two runs? Could you post them here, redacted as necessary?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann

Hi Ann,

Sorry for the delay.

We had the same experience. See the attached screenshot and the log files

image683×315 15.1 KB

Log_Failure.txt (94.0 KB)
Log_Success.txt (93.9 KB)

Hope this helps.

Hi,

This stands out to me in both logs:

SCM provider autodetection failed. Please use "sonar.scm.provider" to define SCM of your project, or disable the SCM Sensor in the project settings.

These prerequisites are listed for PR analysis, but they’re generally applicable. Can you make sure they’re in place? In particular, I think we need to hit this point first:

The CI/CD host’s local repository contains valid repository metadata (e.g. the .git folders have not been removed).

 
Thx,
Ann

Thanks, Ann.

Our results are much streamlined now.
We still see an issue with the scans. It lists all issues of the FrontEnd, even if the files are not part of the present PR.

But it is working fine for Backend code. I am attaching logs of the run.
new 94.txt (59.7 KB)

Edit: We are seeing this for DockerFile also.

Hi,

I’m not surprised you’re still having weird results:

build 16-Dec-2025 11:50:09 11:50:09.495 INFO SCM Publisher is disabled

You need to turn it back on.

 
Ann

Hi,

Thanks for pointing to it.
I turned it on. But I got

No SCM system was detected

The checkout had .git folder as hidden. I tried the following:
Adding parameter -Dsonar.scanner.excludeHiddenFiles=false
Tried making git folder visible.

The issue persisted, so I added parameter -Dsonar.scm.provider=git
But getting Not inside a Git work tree: /usr/src

Tried addressing it with -Dsonar.projectBaseDir=“$PWD” but got stuck with

Error during SonarScanner CLI execution
java.lang.IllegalStateException: Project home must be an existing directory: /home/bamboo/bamboo-agent-home/xml-data/build-dir/abc-A-JOB1

Sorry unable to get through.

Hi,

Yes, most systems will treat a file or directory named with a leading . as hidden by default. This is why Git puts its configs in a “dot directory” - to not clutter the visual representation with its metadata. That shouldn’t have any bearing on whether or not analysis can find that data.

Let’s talk about your project structure. Where is the .gitinfo directory located in relation to where you’re kicking off analysis from? Is it in the same directory? The directory above? Below? Because it needs to be right there in the directory analysis is fired from.

 
Ann

Hi,

Okay, that’s a strange configuration. Can you share your full analysis configuration, please?

 
Thx,
Ann

docker run --rm -t --name A-www -v "$PWD/OneWeb_Backend:/usr/src/A-wwwbackend" -v "$PWD/OneWeb_Frontend:/usr/src/A-wwwfrontend" -v "$PWD/Migration/OWContentMigration:/usr/src/A-wwwMigration" sonarsource/sonar-scanner-cli -Dsonar.host.url="https://athip.sonarqube.company.io" -Dsonar.projectKey=${bamboo.sonar.Key} -Dsonar.scm.provider=git -Dsonar.token="${bamboo.sonar.ent.secret.token}" -Dsonar.branch.name=${bamboo.planRepository.1.branchName} -Dsonar.scanner.excludeHiddenFiles=false -Dsonar.projectBaseDir="$PWD" -Dsonar.exclusions="**/packages/**,**/node_modules/**,**/AssemblyInfo.cs,**/*.aspx.designer.cs,**/*.css,**/*.js,**/*.yml,**test**" -Dsonar.coverage.exclusions="**/packages/**,**/node_modules/**,**/AssemblyInfo.cs,**/*.aspx.designer.cs,**/*.css,**/*.js,**/*.yml,**test**"

Hi,

Thanks for the command.

You’re mapping in 3 different directories. I assume you’re trying to assemble a source tree under the assumption that analysis will run from /usr/src and see all 3 directories you’ve mapped under it. However, you then set

-Dsonar.projectBaseDir="$PWD"

Which tells analysis to run from $PWD which… probably doesn’t make sense as a reachable address to the Docker image. Hence the

Now, back to the complaint:

Based on the 3 volumes you’re mapping in to the Docker command, do I correctly guess that this is actually 3 difference checkouts that you’re trying to analyze together as one project?

A few side notes on the rest of your configuration:

-Dsonar.scm.provider=git

You don’t need this. If analysis isn’t able to pick this up from the environment, telling it explicitly won’t do any good.

-Dsonar.branch.name=${bamboo.planRepository.1.branchName}

This should be picked up automatically from the environment. Once you get your SCM metadata sorted out, that is.

You’ve got exactly the same set of exclusions in both places. Since sonar.exclusions wholly omits the files from analysis, there’s no put in also omitting those same files from coverage consideration. You can drop sonar.coverage.exclusions.

 
Ann

Thanks, Ann.

The three volumes are part of the same repo. We get it through a single checkout.

My understanding is the Sonar image will be running from /home/bamboo/bamboo-agent-home/xml-data/build-dir/abc-A-JOB1, the PWD.

Hi,

You need to map in your checkout directory as the /usr/src directory. Just once. Just that top-level directory. If there are things in that directory you were trying to omit with your elaborate volume mapping, then that’s where your exclusions should come in.

 
HTH,
Ann