Third-party library scanning

I understand that SonarCloud does not provide scan analysis for third-party tools.

I’m looking for some sort of statement that describes that is does not scan these.



I need you to clarify your question because there is a discrepancy between the title and the content.

Are you asking if SonarCloud can find problems related to dependencies such as if you are using a dependency that contains a vulnerability or if SonarCloud is able to load results from third-party linters?

The first use case, generally called SCA, is not supported by SonarCloud.
The second use case is supported and here is the documentation: External Analyzer Reports | SonarCloud Docs



Thank you for your reply.

To clarify: I am asking about SCA. Is there any posted documentation that SonarCloud does not support SCA?

Hi @antigravitygoat,

We support static analysis, including SAST. There are a lot of things we don’t support (E.G. IE 11 :wink:), but we don’t take the time to publish statements to that effect.

That said, what is supported is the import of external analyzer reports (as linked above) and of Generic Issue reports. Which means that you can run a SCA tool before analysis, translate the output into the Generic Issue format, and import that with analysis. But we won’t run the SCA scan for you.


1 Like

Thank you. That looks like a plausible solution for me.

1 Like