|By SonarSource – MIT –
Issue Tracker –
The SonarScanner for MSBuild is the recommended way to launch a SonarQube or SonarCloud analysis for projects/solutions using MSBuild or dotnet command as build tool. It is the result of a collaboration between SonarSource and Microsoft.
It supports .Net Core multi-platform projects and it can be used on non-Windows platforms.
Compatibility and Installation
There are two versions of the SonarScanner for MSBuild.
The first version is based on the “classic” .NET Framework. To use it, execute the following commands from the root folder of your project:
Note: On macOS or Linux, you can also use “mono <path to SonarScanner.MSBuild.exe>”.
The second version is based on .NET Core which has a very similar usage:
Note: The .NET Core version of the scanner does not support TFS XAML builds. Apart from that, the two versions of scanner have the same capabilities and command line arguments.
The begin step is executed when you add the `begin` command line argument. It hooks into the MSBuild pipeline, downloads SonarQube quality profiles, settings and prepares your project for the analysis.
Command Line Parameters
|/k:<project-key>||[required] Specifies the key of the analyzed project in SonarQube|
|/n:<project name>||[optional] Specifies the name of the analyzed project in SonarQube. Adding this argument will overwrite the project name in SonarQube if it already exists.|
|/v:<version>||[recommended] Specifies the version of your project.|
|/d:<analysis-parameter>=<value>||[optional] Specifies additional SonarQube analysis parameter, you could add this argument multiple times. For more information see Analysis Parameters|
The "begin" step will modify your build like this:
- all existing code analyzers that are referenced by your projects will be disabled and only analyzers from SonarQube plugins will be executed
- the active CodeAnalysisRuleSet will be updated to match the SonarQube quality profile
- WarningsAsErrors will be turned off
If your build process cannot tolerate these changes we recommend creating a second build job for SonarQube analysis.
Building your Project
Between the "begin" and "end" steps, you need to build your project, execute tests and generate code coverage data. This part is specific to your needs and it is not detailed here.
The end step is executed when you add the "end" command line argument. It cleans the MSBuild hooks, collects the analysis data generated by the build, the test results, the code coverage and then uploads everything to SonarQube.
Command Line Parameters
There are only two additional arguments that are allowed for the end step:
|/d:sonar.login=<username> or <token>|
[optional] This argument is required if it is added to the begin step.
[optional] This argument is required if it is added to the begin step and not required if you are using <token>
- MSBuild versions older than 14 are not supported.
- Web Application projects are supported. Legacy Web Site projects are not.
- Projects targeting multiple frameworks and using preprocessor directives could have slightly inaccurate metrics (lines of code, complexity, etc.) because the metrics are calculated only from the first of the built targets.
- Install the SonarScanner for MSBuild
- Additional Analysis Parameters
- Excluding Artifacts from the Analysis
- Miscellaneous Advanced Usages
- Scanning on Linux or macOS with Scanner 4.0.x
- Scanning on Windows with Scanner 4.0.x