Run analysis locally using SFDX

This article will guide you through how to run the code analysis manually using our CodeScan Plugin and Salesforce CLI.

Prerequisites

To run the code analysis manually using our CodeScan Plugin and Salesforce CLI, first make sure you have:

Salesforce CLI installed. Click to download the Salesforce CLI and its dependencies.
Java 17
NodeJS 18

To install the CodeScan SFDX plugin, follow these steps:
- Use sfdx plugins:install sfdx-codescan-plugin.
- You'll be prompted that Salesforce does not sign this plugin; type Y to continue.
- Check the installation using sfdx plugins.
You're ready to run a scan once the installation is completed. To run this scan, follow these steps:
- Open Bash CLI like Git Bash, etc.
- Now, go to the folder with the project sources you want to run a scan on and enter the command as shown below:
  sfdx codescan:run --token <token> --projectkey <project key>> --organization <organization key>

Note: To find your Project Key and the Organization Key, click on the respective links below:

Project keys differ from project to project as the organization and project keys are unique.

- Add --server <Server Name>
- Replace Project key
- Replace Organization key
- Replace Token
- Replace your server name (if applicable).
  sfdx codescan:run --token <token> --project key <project key>> --organization <organization key> --server <Server Name>

To view a list of parameters and flags which you can use, run the following command: sfdx help codescan:run

USAGE:

$ sfdx codescan:run [name=value...] [-s <string>] [-o <string>] [-k <string>] [-t <string>] [-u <string>] [-p
  <string>] [--noqualitygate] [--javahome <string>] [--nofail] [--qgtimeout <integer>] [--json] [--loglevel
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
-k, --projectkey=projectkey        sonar.projectKey - the project key
                                   to create.
                                   
-o, --organization=organization    CodeScan Organization Id. Only
                                   required when connecting to CodeScan Cloud

-p, --password=password            SonarQube password (token is preferred)

-s, --server=server                SonarQube server. Defaults to CodeScan Cloud
                                   (https://app.codescan.io)

-t, --token=token                  SonarQube token (preferred)

-u, --username=username            SonarQube username (token is preferred)

--javahome=javahome                JAVA_HOME to use

--json                             format output as json

--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) 
                                   [default: warn] logging level for this
                                   command invocation
                                     
--nofail                           Don't fail if sonar-scanner fails

--noqualitygate                    Don't wait until the SonarQube background
                                   task is finished and return the build
                                   Quality Gate

--qgtimeout=qgtimeout              Timeout in seconds to wait for
                                   Quality Gate to complete (default 300)

PreviousCodeScan SFDX Plugin NextImporting Code Coverage from SFDX projects

Last updated 7 months ago

Was this helpful?

Prerequisites

To run the code analysis manually using our CodeScan Plugin and Salesforce CLI, first make sure you have:

Salesforce CLI installed. Click to download the Salesforce CLI and its dependencies.

Java 17

NodeJS 18

To install the CodeScan SFDX plugin, follow these steps:

Use sfdx plugins:install sfdx-codescan-plugin.
You'll be prompted that Salesforce does not sign this plugin; type Y to continue.
Check the installation using sfdx plugins.

You're ready to run a scan once the installation is completed. To run this scan, follow these steps:

Open Bash CLI like Git Bash, etc.
Now, go to the folder with the project sources you want to run a scan on and enter the command as shown below:
```
sfdx codescan:run --token <token> --projectkey <project key>> --organization <organization key>
```

Note: To find your Project Key and the Organization Key, click on the respective links below:

Project keys differ from project to project as the organization and project keys are unique.

This will start the analysis directly on the .

To learn how to generate a Security Token, click .

If you want to run the analysis in , , or , then make the following changes in the command:

Add --server <Server Name>
Replace Project key
Replace Organization key
Replace Token

Replace your server name (if applicable).

sfdx codescan:run --token <token> --project key <project key>> --organization <organization key> --server <Server Name>

To view a list of parameters and flags which you can use, run the following command: sfdx help codescan:run

USAGE:

$ sfdx codescan:run [name=value...] [-s <string>] [-o <string>] [-k <string>] [-t <string>] [-u <string>] [-p
  <string>] [--noqualitygate] [--javahome <string>] [--nofail] [--qgtimeout <integer>] [--json] [--loglevel
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
-k, --projectkey=projectkey        sonar.projectKey - the project key
                                   to create.
                                   
-o, --organization=organization    CodeScan Organization Id. Only
                                   required when connecting to CodeScan Cloud

-p, --password=password            SonarQube password (token is preferred)

-s, --server=server                SonarQube server. Defaults to CodeScan Cloud
                                   (https://app.codescan.io)

-t, --token=token                  SonarQube token (preferred)

-u, --username=username            SonarQube username (token is preferred)

--javahome=javahome                JAVA_HOME to use

--json                             format output as json

--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) 
                                   [default: warn] logging level for this
                                   command invocation
                                     
--nofail                           Don't fail if sonar-scanner fails

--noqualitygate                    Don't wait until the SonarQube background
                                   task is finished and return the build
                                   Quality Gate

--qgtimeout=qgtimeout              Timeout in seconds to wait for
                                   Quality Gate to complete (default 300)