Installing CodeScan Self-Hosted
CodeScan Self-Hosted Installation
What's New:
CodeScan Self-Hosted now has two versions available to meet your operating system needs:
CodeScan version 25.1.0 Eagle Edition v3.0 (now compatible with SonarQubeâ„¢ versions 10.1 to 2025.1 LTA) is the latest CodeScan release. We strongly recommend all CodeScan users upgrade to this iteration.
CodeScan version 25.0.1 Tiger Edition v3.0 (now compatible with SonarQubeâ„¢ version 9.9 LTA and 10.0 to 10.3) is a newer version of the CodeScan release for users running older versions of SonarQubeâ„¢.
SonarQube Compatibility Matrix
CodeScan Downloads & Compatibility Chart
Overview
This section describes installing the CodeScan self-hosted server, allowing you to experience a fully functional evaluation version of enterprise CodeScan on your server.
Prerequisites
Step 1: Request a CodeScan License Key
AutoRABIT Access/License Key: Before downloading the necessary files, email AutoRABIT’s support team at [email protected] to request a CodeScan License Key.
Provide the following information in the email: • Client Name (first and last – typically the admin) • Client Company • Email • Duration of License (e.g., varies, 30 days)
Step 2: Download and Install SonarQubeâ„¢ & CodeScan Zip Files
SonarQubeâ„¢ Download
You must have a SonarQubeâ„¢ server currently running in your environment. If not, please visit SonarQube.org to download the latest Community version.
The following matrix identifies the current versions of SonarQubeâ„¢ supported for CodeScan Self-Hosted clients:
SonarQubeâ„¢ Compatibility Matrix
Check your SonarQube compatibility in the matrices below based on your CodeScan version.
At SonarSource.com, find the latest compatible version with the CodeScan version you are using.
CodeScan Downloads & Compatibility Chart
CodeScan Zip File Download
Find the latest compatible CodeScan version and download it from the chart below. Release notes are also provided for your convenience.
You will need to enter your
License Key
(to be provided by our Support Team) or aSubscription Code.
For more information on Subscription Codes, click here.Accept our Terms of Service and click on the
Request Download
button.Extract the ZIP file. It contains the SonarQubeâ„¢ plugin and an ant-based tool enabling you to run an analysis.
Plugin Installation
Step 1: Download CodeScan file
Delete any existing Salesforce plugins from your installation.
Ensure your SonarJS plugin is compatible with the current CodeScan for Lightning version. Currently the supported release requires version 6.2+ of the SonarJS plugin. Click here to see alternatives.
Step 2: CodeScan JAR file
Copy CodeScan downloads JAR files,
sonar-salesforce-plugin-XXX.jar
andsonar-codescanlang-plugin-XXX.jar
into your SonarQubeâ„¢ installation at /extensions/plugins/.Place JAR files into your SonarQubeâ„¢ file installation at /extensions/plugins/.
Keep the SonarQubeâ„¢ file open for the next steps.
Step 3: Start Web Server
Lastly, you need to RUNsonar to execute the script to start the server. In your SonarQube™ installation file, open, '/bin' folder, choose server type, and select ‘StartSonar’. Once rendering is finished, the plugin installation is complete.
Standard SonarQubeâ„¢ Setup
Step 1: Log in to the SonarQubeâ„¢ self-hosted instance at http://localhost:9000/. The default System Admin credentials are admin/admin:

Step 2. Once you've gained access, go to Administrator > Configuration > General Settings
.
Select the CodeScan tab.
Enter your CodeScan License Key in the designated field.

Click Save.
You have successfully completed the CodeScan self-hosted integration. See the instructions below on how to integrate this to ARM.
CodeScan Self-Hosted + ARM Integration
Overview
This guide will show you how to integrate the CodeScan self-hosted instance with ARM.
CodeScan Self-Hosted ARM Integration
Step 1: Generate a SonarQubeâ„¢ Token
Log in to your SonarQubeâ„¢ instance.
Go to User > My Account > Security. Your existing tokens are listed here, each with a Revoke button.
The form at the bottom of the page allows you to generate new tokens. Once you click the Generate button, you will see the token value. Be sure to copy it immediately; once you dismiss the notification, you will not be able to retrieve it.
This token is used when storing your credentials, such as your username and password, with AutoRABIT.
Step 2: Store Your SonarQubeâ„¢ Credentials in ARM
This initial step is when your SonarQubeâ„¢ credentials, such as your username and password, are stored in AutoRABIT.
Log in to your AutoRABIT account.
Hover your mouse over the Admin module and click on the Credentials tab.
Next, click on Create Credential from the right navigation bar.
On the next pop-up screen, enter the Credential Name.
Choose the Credential Type as Username with Password.
Choose your Credential Scope: Global: Credentials accessible within the team. Private: Credentials for private use.
Enter your SonarQubeâ„¢ account username. For password, use the copied token mentioned in Step 1.
Verify you are using your SonarQubeâ„¢ username instead of the email address you use to log in to SonarQubeâ„¢.

Click Save.

Setting up Your Quality Profiles
In the SonarQubeâ„¢ self-hosted instance, click on the
Quality Profiles
menu.Make sure you have selected the
Salesforce Lightning profile
as the default for both the JavaScript and Visualforce and Lightning languages. This can be done with the settings cog to the right of the profile name.
Running a Scan
There are a few ways to run your scan. The first is using our SFDX plugin (this requires that the Salesforce CLI and the SFDX CodeScan Plugin be installed).
Generate a token from the
My Account > Security
menu in SonarQubeâ„¢.Open the command prompt and navigate to:
/runner/my-project
Run the following command:
sfdx codescan:run --token <token> --projectkey my-project-key --organization default-organization --server https://your.server.url
The Organization Key above will work for the Community edition of SonarQubeâ„¢ but may need to be edited depending on your setup using a paid edition.
You can also use Ant (this requires Ant version 1.9+).
Running SFDX plugin behind a proxy
To run the SFDX plugin behind a proxy, you will need to pass all the related information in the parameters of the analysis command.
Example:
sfdx codescan:run --server {instanceurl} --token {TKN} --projectkey {PRJ} --organization {ORG} -J-Dhttp.proxyHost=## -J-Dhttp.proxyPort=## -J-Dhttp.proxyUser=## -J-Dhttp.proxyPassword=## -J-Dhttps.proxyHost=## -J-Dhttps.proxyPort=## -J-Dhttps.proxyUser=## -J-Dhttps.proxyPassword=##
where,
instanceurl
Enter your CodeScan instance url example- https://app.codescan.io for US region https://app-eu.codescan.io for EU region https://app-aus.codescan.io for AUS region.
TKN
Enter your CodeScan security token (For more information on how to generate a security token, see Security Token)
PRJ
Enter your CodeScan project key (to find your project key, refer to this article: Project Key)
ORG
Enter your CodeScan organization (for more information, see Create a new CodeScan Organization)
SonarQubeâ„¢ ant plugin
For more instructions on setting up the SonarQubeâ„¢ ant plugin, see https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-ant/. You should verify that the ant script's steps are appropriate for your requirements.
Create a copy of the
sonar-project-template
folder in the runner directory of this folder and put it in the same project. Callit /runner/my-project
. Add the following to thesonar-project.properties
file in themy-project
folder.Set sonar.login= to a token available from the
My Account > Security menu
in SonarQubeâ„¢.Set sonar.projectKey=myproject
Set sonar.projectName=My Project
Set salesforce.username, salesforce.password and salesforce.url to your Salesforce username/password. Your Salesforce token must also be appended to the end of your salesforce.password parameter. For example:
salesforce.password=passwordtoken
.Setting your Salesforce username, password, and URL is unnecessary if you want to analyze static content. Please use a system administrator user profile for this otherwise you may experience strange errors when downloading the code or executing tests.
Open a command prompt and navigate into
/runner/my-project
Run the following command:
ant -f ../antbuild.xml analyse
Proxies
If your network has a proxy, you must pass some more parameters to avoid license errors.
A guide for this is available HERE.
Having trouble?
Read the tutorials
Check the troubleshooting section
Contact [email protected].
Last updated
Was this helpful?