Sonarqube-scan-action v5.3.1 is broken

The latest update of the sonarqube scan action (v5.3.1) introduced a massive regression on which you as a developer don’t know how to quote the paths for source/test.

For example, if you have a source path containing spaces, what you would do (that works perfectly on shell) is -Dsonar.sources=”My path,Anotherpath”, with the change introduced in 5.3.1 this causes an error as it’s trying to look for the the path ‘My path,Anotherpath' and of course that does not exist.

A suggestion was given in the github PR to lose the quotes, which causes other issues as it’s trying to parse as something and fails with an error Unrecognized option: My Path,Anotherpath

I have put together a sample project using the old and new version of the action.

EDIT: quoting only the spaced path also causes the same error “unrecognized option”

Hello @kronenthaler,

Thank you for posting - can you please try passing the argument like this:

-Dsonar.sources='"My path",Anotherpath'?

Please let us know if this solves the issue.

Thanks!

Hello colleagues
Looks like the recent changes broke something

On our CI argument parsing failed:

As a workaround, this helped in my case:

But it misaligned with your README.md:

      `--define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"`

Hello @mlohvynenko,

Thank you for pointing this out, and I am glad that you have already found a workaround.

An alternative option, to avoid quoting issues, would be to add the property in the sonar-project.properties file. This is applicable in @kronenthaler’s case as well.

Thanks,
Aleksandra

Yes, i tried, still fails. Added the case to the public repo test https://github.com/kronenthaler/sonar-scanner-bug/actions/runs/17402013328/job/49397097690

Sorry, this is not a solution in my case. I need it to be dynamic because a mono repo with multiple sonar projects, so the sonar.sources has to be dynamic to scope the right paths, and some paths have spaces. This dynamic paths are read from an env var already.

For now, we rolled back to 5.3.0.

I misread the original solution. Tried it again, and still fails

Hi there,
we’re also facing issues when migrating from SonarSource/sonarqube-scan-action from 5.2.0 to 5.3.1. The setup is pretty simple:

      - name: "SonarQube Scan"
-       uses: SonarSource/sonarqube-scan-action@v5.2.0
+       uses: SonarSource/sonarqube-scan-action@v5.3.1
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
        with:
          projectBaseDir: .
          args: >
            -Dsonar.python.coverage.reportPaths=coverage.xml

We’re receiving below on 5.3.1, while it works fine on 5.2

Run SonarSource/sonarqube-scan-action@v5.3.1
  with:
    projectBaseDir: .
    args: -Dsonar.python.coverage.reportPaths=coverage.xml
  
    scannerVersion: 7.2.0.5079
    scannerBinariesUrl: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
  env:
    SONAR_TOKEN: 
    SONAR_HOST_URL: https://<redacted>/sonarqube
Run ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
  ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    SONAR_TOKEN: 
    SONAR_HOST_URL: https://<redacted>/sonarqube
    INPUT_PROJECTBASEDIR: .
    INPUT_SCANNERVERSION: 7.2.0.5079
Warning: Running this GitHub Action without SONAR_TOKEN is not recommended
Run actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809
  with:
    path: /home/runner/work/_temp/sonar-scanner-cli-7.2.0.5079-Linux-X64
    key: sonar-scanner-cli-7.2.0.5079-Linux-X64
    enableCrossOsArchive: false
    fail-on-cache-miss: false
    lookup-only: false
    save-always: false
  env:
    SONAR_TOKEN: 
    SONAR_HOST_URL: https://<redacted>/sonarqube
    SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
Cache not found for input keys: sonar-scanner-cli-7.2.0.5079-Linux-X64
Run ${GITHUB_ACTION_PATH}/scripts/install-sonar-scanner-cli.sh
  ${GITHUB_ACTION_PATH}/scripts/install-sonar-scanner-cli.sh
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    SONAR_TOKEN: 
    SONAR_HOST_URL: https://<redacted>/sonarqube
    INPUT_SCANNERVERSION: 7.2.0.5079
    INPUT_SCANNERBINARIESURL: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
+ mkdir -p /home/runner/work/_temp/sonarscanner
+ cd /home/runner/work/_temp/sonarscanner
+ SCANNER_FILE_NAME=sonar-scanner-cli-7.2.0.5079-linux-x64.zip
+ SCANNER_URI=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip
+ command -v wget
+ wget --no-verbose --user-agent=sonarqube-scan-action https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip
2025-09-05 07:20:06 URL:https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip [58106473/58106473] -> "sonar-scanner-cli-7.2.0.5079-linux-x64.zip" [1]
+ unzip -q -o sonar-scanner-cli-7.2.0.5079-linux-x64.zip
+ SCANNER_UNZIP_FOLDER=sonar-scanner-7.2.0.5079-linux-x64
+ SCANNER_LOCAL_FOLDER=/home/runner/work/_temp/sonar-scanner-cli-7.2.0.5079-Linux-X64
+ '[' -d /home/runner/work/_temp/sonar-scanner-cli-7.2.0.5079-Linux-X64 ']'
+ mv -f sonar-scanner-7.2.0.5079-linux-x64 /home/runner/work/_temp/sonar-scanner-cli-7.2.0.5079-Linux-X64
Run echo "${RUNNER_TEMP}/sonar-scanner-cli-7.2.0.5079-Linux-X64/bin" >> $GITHUB_PATH
Run ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
+ sonar-scanner -Dsonar.projectBaseDir=. -Dsonar.python.coverage.reportPaths=coverage.xml
07:20:08.397 INFO  Scanner configuration file: /home/runner/work/_temp/sonar-scanner-cli-7.2.0.5079-Linux-X64/conf/sonar-scanner.properties
07:20:08.402 INFO  Project root configuration file: /home/runner/work/<redacted>/sonar-project.properties
07:20:08.421 INFO  SonarScanner CLI 7.2.0.5079
07:20:08.423 INFO  Linux 6.11.0-1018-azure amd64
07:20:10.281 ERROR Failed to query server version: GET https://<redacted>/sonarqube/api/v2/analysis/version failed with HTTP 401. Please check the property sonar.token or the environment variable SONAR_TOKEN.
07:20:10.282 INFO  EXECUTION FAILURE
07:20:10.283 INFO  Total time: 1.890s

@rceluch-pg This issue doesn’t seem related to the one in the initial report.
Looking at the console output, the SONAR_TOKEN env var seems empty (not resolving to anything) thus generating a 401 error. Are you sure the token is defined in the secrets, under that name?

Ok. Maybe not the very same root cause as for OP, but for sure related to v5.3.1, as the very same setup works for us on v5.2.0 and v5.3.0. And yes, SONAR_TOKEN is there and it’s valid.

Looks like args are not well managed, as it works on v5.3.1 after commenting them:

      - name: "SonarQube Scan"
        uses: SonarSource/sonarqube-scan-action@v5.3.1
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
        with:
          projectBaseDir: .
      #    args: >
      #      -Dsonar.python.coverage.reportPaths=coverage.xml

Hello,

Apologies for the inconveniences, we acknowledge the quotes regression and we are looking into this.

@rceluch-pg, I agree with @kronenthaler that this is another issue, but rather related to the token than to the arguments, as I could not reproduce it with a similar example here.
Please check if there is something else besides the commented-out args in your latest post that could have resolved the issue.

Thanks,
Aleksandra

Hi Aleksandra,I don’t see -Dsonar.python.coverage.reportPaths or any path related attribute in your repro. Anyway, our issue must be related to the original issue with “quoting” because below works for us, when I just added single quotes for
-Dsonar.python.coverage.reportPaths value:

      - name: "SonarQube Scan"
-       uses: SonarSource/sonarqube-scan-action@v5.2.0
+       uses: SonarSource/sonarqube-scan-action@v5.3.1
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
        with:
          projectBaseDir: .
          args: >
-           -Dsonar.python.coverage.reportPaths=coverage.xml
+           -Dsonar.python.coverage.reportPaths='coverage.xml'

Hello @aleksandrabozhinoska , i tried recently the new v6 and with the recommended adjustments works as expected.