Installing CodeScan Self-Hosted
  • 28 Jun 2022
  • 3 Minutes to read
  • Contributors
  • Dark

Installing CodeScan Self-Hosted

  • Dark

This guide will get a fully functional evaluation version of the enterprise CodeScan running on your own server.



This setup document presumes you have a SonarQube™ server currently running in your environment. If you do not, please visit to get set up.

  • SonarQube™ 8.9+
  • Java 11
  • Windows / Mac / Linux
  • NodeJS


  1. Download the latest compatible version from here.

Keep in mind that you need to download a version that is compatible with your SonarJS plugin version.

  1. When downloading you will need to provide your License Key or Subscription Code and accept our Terms of Service.

  2. Extract the zip file. It contains the SonarQube™ plugins and an ant based tool to run an analysis with.

Plugin installation

  1. Delete any existing Salesforce plugins from your installation.

  2. Ensure your SonarJS plugin is compatible with the current CodeScan for Lightning version. Currently the supported release requires v 6.2+ of the SonarJS plugin. See here for alternatives.

  3. Copy sonar-salesforce-plugin-XXX.jar and sonar-codescanlang-plugin-XXX.jar into your SonarQube™ installation at /extensions/plugins/

Standard setup:

  1. When you receive your license, enter it by logging into SonarQube™ with the credentials User: admin, Password: admin and, go to Administrator at the top right.

  2. Click on General Settings on the right side.

  3. Click on CodeScan on the list of Categories.

  4. Enter your license in the text box labelled ‘CodeScan license’ (key is "sf.license.secured")

  5. Click save.

Setting up your Quality Profiles

  1. Click on the Quality Profiles menu.
  2. Make sure you have selected the Salesforce Lightning profile as the default for both the Javascript and Visualforce & Lightning languages. This can be done with the settings cog to the right of the profile name.

Running a scan

There are few ways to run your scan. The first is using our SFDX plugin (this requires the Salesforce CLI and the SFDX CodeScan Plugin to be installed).


This will not work behind a proxy currently.

  1. Generate a token from the My Account>Security menu in SonarQube™.

  2. Open a command prompt and navigate into:

  1. Run the following command:
sfdx codescan:run --token <token> --projectkey my-project-key --organization default-organization --server https://your.server.url

The organization key above will work for the Community edition of SonarQube™ but may need to be edited depending on your setup if using a paid edition.

You can also use Ant (this requires Ant version 1.9+).


You will need to edit if your SonarQube™ installation is different than usual or if you have a proxy. You can also edit /runner/antbuild.xml if you want to customize your workflows.

SonarQube™ ant plugin

For more instructions on how to setup the SonarQube™ ant plugin, see you should check the steps that the ant script takes are appropriate for your requirements.

  1. Create a copy of the sonar-project-template folder in the runner directory of this folder and put it in the same project. Let’s call it /runner/my-project. Add the following to the file in the my-project folder.
  2. Set sonar.login= to a token available from the My Account>Security menu in SonarQube™.
  3. Set sonar.projectKey=myproject
  4. Set sonar.projectName=My Project
  5. Set salesforce.username, salesforce.password and salesforce.url to your Salesforce username/password. Your Salesforce token also has to appended to the end of your salesforce.password parameter.
    For example: salesforce.password=passwordtoken.
    Setting your Salesforce username, password and url is not necessary if you want to analyse static content. Please use a system administrator user profile for this otherwise you may experience strange errors when downloading the code or executing tests.
  • Open a command prompt and navigate into /runner/my-project
  • Run the following command:
ant -f ../antbuild.xml analyse

If the Anyone group is not granted Execute Analysis permission or if the SonarQube™ instance is secured (the sonar.forceAuthentication property is set to true), the credentials of a user having been granted Execute Analysis permission have to be provided through the sonar.login and sonar.password properties.


  • If your network has a proxy, you will need to pass some more parameters to avoid license errors.

  • A guide for this is available here.

Having trouble?

  • Read the tutorials
  • Check the troubleshooting section
  • Contact support

Was this article helpful?