which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension): Enterprise Edition v2025.3.1 (109879)
how is SonarQube deployed: Docker
what are you trying to achieve:
I’m trying to make SonarQube branch scans display new code compared to a reference branch. By configuring the reference branch either through UI or command line I get the initial scan to display new code compared to our reference branch.
The problem is that consecutive scans lose the new code comparison for the reference branch and instead just display new code compared to previous scans on the current branch.
I am expecting to see all these scans to have their new code be displayed in comparison to the reference branch, not the previous scan which seems to be the case here.
I am also expecting to see the same Quality Gates fail on all of these scans as I haven’t added any code past the initial scan.
Am I misinterpreting the reference branch functionality or is there some config that I’ve missed?
I added -Dsonar.sources="docker" to my sonar-scanner command to get rid of some warnings the scanner got when trying to scan .git files. Now that I’m browsing the local scanner output I can’t see any errors or warnings except this one:
Your code is analyzed as compatible with all Python 3 versions by default. You can get a more precise analysis by setting the exact Python version in your configuration via the parameter "sonar.python.version"
which is the same warning that can be seen in the pictures above.
Are you interested in the local output of the scan command?
I’ve tried every version of sonar-scanner, from 5.0.1.3006 to 7.2.0.5079.
Are all the relevant branches up to date? Did you make sure the prerequisites are all in place?
That’s not going to do anything but narrow analysis to only files/directories under docker. Is that what you intended? If your goal is to exclude hidden files from analysis, then set sonar.scanner.excludeHiddenFiles=true.
Yes, the goal -Dsonar.sources="docker" with was to exclude some unnecessary files being scanned to get rid of some warnings to easier be able to read the terminal output. sonar.scanner.excludeHiddenFiles was a useful trick though, so thank you.
As for the prerequisites:
The pull request source branch is checked out in the CI/CD host’s local repository.
As per my git branch command you can see that HEAD for my local branch is the same commit hash as its upstream.
BRANCH NAME COMMIT UPSTREAM
test ac73c73 [origin/test]
remotes/origin/test ac73c73
What you can’t see is that my local refs are up to date, but I’ve checked and they are:
test-double-ms$ git fetch; echo $?
0
The branch being targeted by the pull request (target branch) is fetched in the CI/CD host’s local repository
HEAD for my local master branch is the same as its utsream:
BRANCH NAME COMMIT UPSTREAM
master e3edf93 [origin/master]
remotes/origin/master e3edf93
The CI/CD host’s local repository contains valid repository metadata
I don’t know what data sonar-scanner needs from .git but it’s valid enough to use standard git commands like push and pull and so forth.
The history ought to be long enough for sonar too:
The code in the CI/CD host’s local repository matches the code in the remote repository
Don’t know if this one is relevant as I’m pushing the code to the repo and running the sonar-scanner locally. There is no need for me to push, then pull, then scan.
If you use AWS CodeBuild
We don’t use this.
Is there anything else from the guides that I should check?
So analysis is not running on a CI build agent, but locally? FWIW, that’s not considered best practice.
Can you provide your analysis log?
The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.
test-double-ms$ git fetch --all
test-double-ms$ git branch --all -vv
master e3edf93 [origin/master]
* test ac73c73 [origin/test]
remotes/origin/HEAD -> origin/master
remotes/origin/master e3edf93
remotes/origin/test ac73c73
test-double-ms$ git status
On branch test
Your branch is up to date with 'origin/test'.
nothing to commit, working tree clean
test-double-ms$ sonar-scanner -Dsonar.branch.name=test -Dsonar.projectName=test-double-ms -Dsonar.projectKey=levpl:test-double-ms -Dsonar.token=$SONAR_TOKEN -Dsonar.host.url=$SONAR_HOST -Dsonar.newCode.referenceBranch=master -Dsonar.scanner.excludeHiddenFiles=true
I got curious and tried to set the reference branch to FOOBAR, a branch that does not exist: sonar-scanner -Dsonar.branch.name=test -Dsonar.projectName=test-double-ms -Dsonar.projectKey=levpl:test-double-ms -Dsonar.token=$SONAR_TOKEN -Dsonar.host.url=$SONAR_HOST -Dsonar.newCode.referenceBranch=FOOBAR -Dsonar.scanner.excludeHiddenFiles=true
This resulted is the exact same behaviour as when I use master which does exist.
How is “master” spelled (capitalization counts!) in SonarQube? Is it possible that your use of quotes has injected leading or trailing whitespace in the name?
The name is master, no capital letters, no whitespaces.
This is how the Sonar GUI displays the master branch (picture from Project Settings → New Code:
