SonarScanner CLI - does it use API calls in the backend?

Does anyone know if the SonarScanner CLI uses APIs on the backend to do the actual scanning? And does the SonarScanner CLI commmand send code/projects to your SonarQube instance? Or does it scan at the location of where the folder/command is run?

There is not much documentation on how SonarScanner CLI actually works once command is executed.

Hi Dennis, welcome to the community!

The scanner performs its work on the machine it runs on.
That being said, it will make calls to the server (SOnarQube/SonarCloud) in the following phases:

  • Downloading the analyzers it needs based on which languages are present in the project
  • Downloading the quality profile for the project
  • Uploading the results of the scan and the corresponding code so it can be presented in SonarQube/SonarCloud

Hope this clarifies things,

Thanks for quick reply Denis! I really appreciate it!

One more question Denis - does the uploading of the results and corresponding code happening through a POST call/web API? And is there anyway for the command to allow for authorization in the request header? Does sonar scanner need direct access to the SONAR_HOST_URL?

My use case is running a scan that needs to connect to a SonarQube instance that is behind an Akamai gateway and the command is failing/returning errors. POST/GET calls from the same a machine with authorization parameters do work, only the command fails.

I would assume there are indeed some POST requests in there :slight_smile:
Beyond that, I’m afraid my knowledge on the subject is too limited to answer that particular question, but I will tag the proper team so they can follow up on that.

In the meantime, could you elaborate on what authorization your gateway requires?

Authorization happens with OAuth2.0 (we provide an id and secret and they return an access token). Thanks again for the info!

The answer is yes.

Nothing is built into SonarQube.

Another user solved this for CloudFlare using the cloudflare warp client. Does Akamai have anything similar?

1 Like