sonar-project.properties Reference¶
Per-language templates and a complete field reference for configuring the SonarQube scanner in a CWIQ service.
Every project that runs the sonarqube-scan CI job needs a sonar-project.properties file in its root directory. The scanner reads this file to locate source code, tests, and pre-generated analysis reports.
Python Project Template¶
Use this template for all FastAPI services, workers, and CLI projects:
sonar.projectKey=orchestrator-server
sonar.projectName=Orchestrator Server
sonar.sources=src
sonar.exclusions=alembic/**,tests/**
sonar.python.coverage.reportPaths=coverage.xml
sonar.sarifReportPaths=semgrep-results.sarif,trivy-fs-results.sarif
sonar.qualitygate.wait=true
Replace orchestrator-server and Orchestrator Server with your project's key and name. The sonar.projectKey must be unique across all SonarQube projects and follows the convention orchestrator-{project-name}.
Node.js Project Template¶
Use this template for the React frontend (orchestrator-ui):
sonar.projectKey=orchestrator-ui
sonar.projectName=Orchestrator UI
sonar.sources=src
sonar.exclusions=e2e/**,node_modules/**,dist/**,build/**,coverage/**
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.sarifReportPaths=semgrep-results.sarif,trivy-fs-results.sarif
sonar.qualitygate.wait=true
Field Reference¶
| Field | Required | Description |
|---|---|---|
sonar.projectKey |
Yes | Unique project identifier across all SonarQube projects. Convention: orchestrator-{project} (e.g., orchestrator-server, orchestrator-ui). |
sonar.projectName |
Yes | Human-readable display name shown in the SonarQube dashboard (e.g., Orchestrator Server). |
sonar.sources |
Yes | Directory containing the source code to analyse. Typically src. Do not include test directories here. |
sonar.exclusions |
Recommended | Comma-separated glob patterns for files and directories to skip entirely. Reduces noise from generated code, migrations, and test utilities. |
sonar.python.coverage.reportPaths |
Python only | Path to the Cobertura XML coverage report produced by pytest --cov. Typically coverage.xml. |
sonar.javascript.lcov.reportPaths |
Node.js only | Path to the LCOV coverage report produced by Vitest or Jest. Typically coverage/lcov.info. |
sonar.sarifReportPaths |
Yes | Comma-separated list of SARIF files to import. Always include both semgrep-results.sarif and trivy-fs-results.sarif. |
sonar.qualitygate.wait |
Recommended | When set to true, the CI job waits for SonarQube to finish computing the quality gate result before exiting. This ensures the gate status is visible in the pipeline. |
Exclusion Patterns¶
Keeping sonar.exclusions accurate prevents false positives and keeps issue counts meaningful. Common patterns by project type:
Python services:
Workers (no migrations):
Node.js frontend:
Keep exclusions up to date
When you add new generated directories (build output, compiled assets, scaffolded code), add them to sonar.exclusions. Analysing generated files inflates bug and code smell counts and makes it harder to track real issues.
SARIF Import¶
The sonar.sarifReportPaths field accepts multiple SARIF files as a comma-separated list with no spaces around the commas:
Both files must exist in the scanner's working directory when the job runs. They are produced by the semgrep and trivy-fs-scan jobs respectively, and made available via needs: artifacts: true in the sonarqube-scan job definition. See Setup & Configuration for the correct job wiring.
Related Documentation¶
- Setup & Configuration — How to wire the scan job in your pipeline
- Quality Gates — What happens after analysis completes
- Semgrep SAST — Source of
semgrep-results.sarif - Trivy — Source of
trivy-fs-results.sarif