SonarQube vs SonarScanner : what does what


I’ve been searching around for information about what exactly role have SonarQube and SonarScanners and still I’m a bit confused.

FYI: I’m using SonarQube docker 10.3, sonar-scanner 2.7 and sonar-scanner-msbuild 5.15.0.

The two most relevant information I have are from the SonarQube documentation:

and a question from this forum:

Yet I still wonder: what actually are doing the SonarScanners ?

  • Do they simply send the code, the actual text, to SonarQube, and SonarQube runs the analysis and provides graphical display ?

  • Do they perform the code analysis and send the result to SonarQube ? In this case, is SonarQube just a graphical display of data sent by the wrapper ?

My last question depends on the answer to the above questions:

  • Why do we need wrapper, except for having unit test results, if it just sends files to SonarQube for static code analysis ? The underlaying question here is: wouldn’t it be faster to provide a given branch of a git repository for SonarQube to checkout it and perform its analysis ?

Thanks in advance for your time,

Hey there.

The sonar-scanner orchestrates and runs the analysis, generating all the data (issues) that is sent to SonarQube for processing (tracking issues, computing measures, and integrating with other services such as running Webhooks or decorating pull requests).

With the sonar-scanner you would just have a list of issues. With SonarQube, you can track the state of your codebase overtime, manage the results, and make sure you focus on, for example, new code.

This is something that’s possible with SonarCloud + GitHub and Automatic Analysis, although it has some limitations described in the docs.

1 Like


Thanks a lot :slight_smile: much clearer now !

Then if I fully understant how Sonar is working:

  • If I need compatibility with new cybersecurity issues: CWE and new OWASP that would be released after the OWASP-2021 I would have to update both the sonar-scanner for it to properly find the issues and the SonarQube to display the issue with the proper filter ?

  • If I need compatibility with a new language revision (let’s say C++24 or .Net 8.0) tht was not supported before, I simply need to update the SonarScanner as it is the one performing the analysis and SonarQube only manage the display ?


The sonar-scanner is occasionally updated to interact better with SonarQube, but ultimately it’s downloading all the logic from SonarQube. So you should keep the sonar-scanner updated, but for new rules and new language revisions, what really matters is the SonarQube version.

1 Like

Thank you, you answered all my questions :slight_smile:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.