SonarQube scan - cannot find module 'postcss-cscc'

  • Versions:
    • SonarQube v10.3.0.82913
    • SonarQube Azure DevOps extension v5.17.2
  • SonarQube deployed in Docker
  • what are you trying to achieve: Trying to successfully scan our source code using the Azure DevOps extension
  • what have you tried so far to achieve this: I’ve had a pipeline set up using the extension for a couple of months and it has worked successfully in our last few pushes to prod.

In our latest sprint we have pushed some new code to source that is being included in our SonarQube scan. I’m not entirely sure where (I’m not actively developing on the project lately; more handling devops-related tasks outside of the actual development) but I assume there has been an influx of new code that is picked up by SonarQube’s css sensors.

The pipeline I built has worked successfully before when it appeared that there were no css files to analyze; however, now I’m encountering the following error in my pipeline during the Run Code Analysis task using the SonarQube ADO extension:

INFO: Sensor CSS Rules [javascript]
INFO: 256 source files to be analyzed
##[error]ERROR: Error: Cannot find module 'postcss-cscc'
ERROR: Error: Cannot find module 'postcss-cscc'

Since the pipeline hasn’t analyzed css files before I’m unsure how to tackle this. I haven’t been able to find any other topics mentioning css analysis using this module specifically, either. I tried investigating if there was a way to install postcss-cscc on the build agent or in the Docker container hosting SonarQube but have come up empty handed in those efforts as well.

What is going on here? How can I enable css analysis if SonarQube cannot find this module?



Welcome to the community!

I have a few questions. First, I think it’s implicit in what you’ve written, but I want to be sure: does your project have a module named postcss-cscc?

Second, do you want to analyze your CSS? Doing so is best-practice, but an easy out should be to simply exclude **/*.css from analysis.

Assuming you do want to analyze CSS, and we need to diagnose and fix this, could you provide a debug analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.


Hi Ann,

Thank you for your follow-up. I’ve done a little more digging and it does appear that we reference some npm packages which utilize a module named postcss-cscc. I was under the impression that this was some tool or package that SonarQube itself was attempting to use but could not find.

Consequently, I attempted to add a build step in my pipeline to navigate to the directory including our SPA files and run npm ci followed by npm install to attempt to rectify the issue by getting all package data before the scan. The error still occurs. Just as a proof I added the file exclusion you referred to above but I’m still getting the errors. Most of our CSS is declared within our .vue files which are developed for our UI and which we would like to scan, so I cannot add exclusions for those.

Please find attached a snippet of the error I am seeing in the analysis logs - hopefully this is what you were looking for. None of this appears to be referring specifically to the source code I am scanning, although I may be mistaken.
SonarQube Debug Analysis Log.txt (4.6 KB)



Can we have the full analysis log, please?


Ann -

I ended up resolving this issue by updating the version of Node our build agent was running. Previous version was 16.x, new version that is working is 20.x.


1 Like