Whats the purpose of the scanner if sonarcloud is able to scan the raw code from the repo?

I have a public golang repo on github and I setup a sonar project for it.

It was able to scan the code directly.

Does this mean my language (golang) doesn’t require me to run the scanner in my build pipeline? What would I need to run the scanner for? Would it pick up more stuff? Is it needed for branch analysis? Or maybe its only if I have a private repo that is not public and sonarcloud doesn’t provide public IPs for whitelisting?

I don’t even have a sonar project config file in the repo yet.

OK googled a little more and now I know this is something called “automatic analysis” and has limitations: Automatic analysis & SonarCloud

It also appears sonarcloud does not provide static public IPs for whitelisting (which is probably a deal breaker for some orgs that want to restrict at the network boundary) is this still the case?GitHub IP Whitelist and SonarCloud


The docs should help.