How to integrate sonar for a Node JS project?

In this post I will show you SonarQube integration steps for Node based projects.

SonarQube is an Open Source Software for static code scanning to discover potential vulnerabilities, bugs and code smell.

We gonna use Docker to run the SonarQube server on Docker engine so please install it and have Docker up and running on your machine.

Assuming that Docker is up and running on your machine, now to spin up SonarQube server, we gonna run the below command in from your terminal, it will pull the image from the Docker hub to the host machine and it will run the SonarQube server inside the Docker container at the given ports. Make sure that (9000 and 9002) ports are available, if not you can always use different ports.

To verify if the container started without errors, run the commands:

Now you can access the admin UI via http://localhost:9000


Now that we have SonarQube setup, let’s install and set up the SonarQube Scanner to run against the codebase. We gonna use the npm module called sonarqube-scanner, so lets install it with below npm command.

Create a sonar-project.js file in the root of your project with the following code:

By default, when scanning a project that has a npm package.json file, the reporting tool will use the package name and version that it finds in the JSON file.

In your package.json file, you can update the script section to add the command to execute:

You can now run the scanner:

The scan will take a few minutes the first time to complete, At the end of the run, you will be prompted with the URL to the project’s results

I hope you like this Post, Please feel free to comment below, your suggestion and problems if you face - we are here to solve your problems.

0 0 vote
Article Rating
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
sujesh shivan
sujesh shivan
6 months ago

when i am checking sonarqube implented locally and tested, , it never detect sql injection , i have a query like this:
var queryStatement = "SELECT * FROM car WHERE ModifiedDate_UTC>='" + date + "' limit " + limit + ',' + offset;,
is there any settings to detect this , please help Protection Status
Would love your thoughts, please comment.x