sonar_scan_project
Scan a project with SonarQube and return analysis results.
Description
This is the primary tool for running SonarQube analysis. It supports both first-time scans (with automatic project setup) and subsequent scans of existing projects.
Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
projectPath | string | No* | Current dir | Full absolute path to project directory |
autoSetup | boolean | Yes | - | true for first scan, false for subsequent |
severityFilter | array | No | All | Filter: BLOCKER, CRITICAL, MAJOR, MINOR, INFO |
typeFilter | array | No | All | Filter: BUG, VULNERABILITY, CODE_SMELL |
Always specify autoSetup. This is the most important parameter:
autoSetup: true- Creates SonarQube project, generates token, runs scanautoSetup: false- Uses existing project, requiresprojectPath
Project Configuration
| Variable | Default | Description |
|---|---|---|
FORCE_CLI_SCANNER | false | Bypass Maven/Gradle plugins, use sonar-scanner CLI |
Forcing CLI Scanner
For projects with Maven or Gradle, SonarQube typically uses built-in plugins (maven-sonar-plugin, sonarqube gradle plugin). To force the use of sonar-scanner CLI instead, add to your bobthefixer.env:
# bobthefixer.env
FORCE_CLI_SCANNER=true
When to use:
- Maven/Gradle plugins cause conflicts or errors
- Need consistent scanner behavior across different project types
- Debugging scanner-specific issues
- CI/CD pipelines with pre-installed sonar-scanner
Usage Patterns
First Scan (New Project)
Scan this project with Bob the Fixer, use autoSetup: true
Tool call:
{
"autoSetup": true
}
Subsequent Scans
Scan again to verify my fixes
Tool call:
{
"projectPath": "/Users/dev/my-project",
"autoSetup": false
}
Filtered Scan
Show me only critical and blocker bugs
Tool call:
{
"projectPath": "/Users/dev/my-project",
"autoSetup": false,
"severityFilter": ["BLOCKER", "CRITICAL"],
"typeFilter": ["BUG"]
}
Response Format
📊 SonarQube Analysis Complete
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Project: my-awesome-app
Scanner: sonar-scanner-cli
Quality Gate: ❌ FAILED
📈 Summary:
Total Issues: 47
🔴 BLOCKER: 2 (security vulnerabilities)
🟠 CRITICAL: 5 (critical bugs)
🟡 MAJOR: 15 (significant code smells)
🟢 MINOR: 20 (minor improvements)
ℹ️ INFO: 5 (suggestions)
📊 Metrics:
Coverage: 67.3%
Duplication: 4.2%
Tech Debt: 3d 4h
💡 Recommendation: Start with BLOCKER and CRITICAL issues
ISSUES:
1. [BLOCKER] SQL Injection Vulnerability
File: src/db/queries.ts:45
Key: AYx123abc456
2. [BLOCKER] Hardcoded Password
File: src/config/auth.ts:12
Key: AYx123abc457
...
Scanner Types
The response shows which scanner executed the analysis:
| Scanner | Description |
|---|---|
sonar-scanner-cli | Standalone CLI scanner |
maven-sonar-plugin | Maven plugin (Java projects) |
sonarqube-gradle-plugin | Gradle plugin (Java/Kotlin projects) |
Examples
Example 1: First-Time Project Scan
Prompt:
I want to analyze my TypeScript project for the first time
Tool Call:
{
"autoSetup": true
}
What Happens:
- Discovers project type (TypeScript)
- Creates SonarQube project
- Applies "balanced" quality gate
- Generates authentication token
- Runs analysis
- Returns issue summary
Example 2: Re-scan After Fixes
Prompt:
I fixed those issues, scan again to confirm
Tool Call:
{
"projectPath": "/Users/dev/my-project",
"autoSetup": false
}
Example 3: Security-Focused Scan
Prompt:
Show me all security vulnerabilities in this project
Tool Call:
{
"projectPath": "/Users/dev/my-project",
"autoSetup": false,
"typeFilter": ["VULNERABILITY"]
}
Best Practices
- First scan: Always use
autoSetup: true - Subsequent scans: Always use
autoSetup: falsewithprojectPath - CI/CD: Use filtered scans for specific checks
- Performance: Filter by severity for faster reviews
Common Issues
"Project not configured"
Cause: Using autoSetup: false on a project that hasn't been set up.
Solution: Run with autoSetup: true first.
"Authentication failed"
Cause: Invalid or expired token.
Solution: Check SONAR_TOKEN environment variable.
"Source files not found"
Cause: Incorrect source directory configuration.
Solution: Use sonar_generate_config to create proper configuration.
Related Tools
sonar_auto_setup- Setup-only (no scan)sonar_get_issue_details- Get issue detailssonar_project_discovery- Analyze project structure