Hi team,
We’ve been facing a persistent issue with JS taint analysis in SonarQube for the past 6–8 months. One of our repositories consistently takes over an hour to complete the scan, while other repositories finish within 5–7 minutes.
We are running SonarQube Developer Edition v2025.3 via Helm on Kubernetes at the moment, and we’ve already tried the following steps:
• Increased container memory to 6GB requests / 8GB limits
• Deployed SonarQube on a dedicated instance
• Upgraded to the latest Developer Edition (v2025.3)
Despite these efforts, the scan time hasn’t improved. Upon investigation, we found that the majority of the time is spent during the “Taint analysis for js” phase. Here’s a snippet from the logs:
INFO: Taint analysis for js: Starting
INFO: 0 / 5386 UCFGs simulated, memory usage: 440 MB
INFO: 76 / 5386 UCFGs simulated, memory usage: 370 MB
INFO: 188 / 5386 UCFGs simulated, memory usage: 308 MB
INFO: 291 / 5386 UCFGs simulated, memory usage: 508 MB
INFO: 452 / 5386 UCFGs simulated, memory usage: 813 MB
INFO: 545 / 5386 UCFGs simulated, memory usage: 473 MB
INFO: 586 / 5386 UCFGs simulated, memory usage: 597 MB
INFO: 732 / 5386 UCFGs simulated, memory usage: 909 MB
INFO: 785 / 5386 UCFGs simulated, memory usage: 838 MB
INFO: 891 / 5386 UCFGs simulated, memory usage: 847 MB
INFO: 1085 / 5386 UCFGs simulated, memory usage: 328 MB
INFO: 1211 / 5386 UCFGs simulated, memory usage: 588 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 627 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 356 MB
INFO: 1237 / 5386 UCFGs simulated, memory usage: 931 MB
INFO: 1245 / 5386 UCFGs simulated, memory usage: 912 MB
INFO: 1245 / 5386 UCFGs simulated, memory usage: 1033 MB
INFO: 1257 / 5386 UCFGs simulated, memory usage: 715 MB
INFO: 1271 / 5386 UCFGs simulated, memory usage: 1986 MB
INFO: 1309 / 5386 UCFGs simulated, memory usage: 1515 MB
INFO: Taint analysis for js: Time spent was 00:46:13.927
We’d appreciate guidance on:
• How we can reduce the taint analysis time
• What might be causing this unusually long scan for this specific repo
• Any tunable settings or exclusions we should consider