# Installing CodeScan Self-Hosted
## CodeScan Self-Hosted Installation
**What's New:**
CodeScan Self-Hosted now has multiple versions available to meet your operating system needs:
**CodeScan version 25.1.3 Eagle Edition v6.0** (now compatible with ***SonarQube™ Community Build versions 10.6 to 25.10)*** is the latest CodeScan release. We strongly recommend all CodeScan users upgrade to this iteration.
**CodeScan version 25.1.2 Eagle Edition v.5.0** (now compatible with ***SonarQube™ versions 10.6 to 25.4).***
For customers running on older versions of SonarQube, we still have you covered!
**CodeScan version 25.0.1 Tiger Edition v3.0** (compatible with ***SonarQube™ version 9.9 LTA and 10.0 to 10.3)*** is a newer version of the CodeScan release for users running older versions of SonarQube™.
[**Legacy SonarQube Compatibility Matrix**](#sonarqube-tm-download-1)
[**CodeScan Downloads & Compatibility Chart**](https://knowledgebase.autorabit.com/product-guides/codescan/system-requirements-and-installation/installing-codescan-self-hosted#codescan-downloads-and-compatibility-chart)
[**Release Notes**](https://knowledgebase.autorabit.com/overview/release-notes/codescan-release-notes/on-premise-releases)
***
### Overview
This section describes installing the CodeScan self-hosted server, allowing you to experience a *fully functional evaluation version* of enterprise CodeScan on your server.
### Prerequisites
#### Step 1: Request a CodeScan License Key
{% hint style="info" %}
**Note:** If you already have a **License Key** or **Subscription Code**, proceed to step 2.
{% endhint %}
**AutoRABIT Access/License Key:** Before downloading the necessary files, email AutoRABIT’s support team at to request a **CodeScan License Key.**
Provide the following information in the email:\
• Client Name (first and last – typically the admin)\
• Client Company\
• Email\
• Duration of License (e.g., varies, 30 days)
#### Step 2: Download and Install SonarQube™ & CodeScan Zip Files
#### SonarQube™ Download
You must have a SonarQube™ server currently running in your environment. If not, please visit [SonarQube.org](https://www.sonarqube.org/) to download the latest Community version.
The following matrix identifies the historic versions of SonarQube™ supported for CodeScan Self-Hosted clients:
## Legacy SonarQube™ Compatibility Matrix
Check your SonarQube compatibility in the matrices below based on your CodeScan version.
CodeScan Eagle + SonarQube Compatibility Matrix
CodeScan Self-Hosted Plug-In
SQ 10.1
SQ 10.2
SQ 10.3
SQ 10.4
SQ 10.5
SQ 10.6
SQ 10.7
SQ 10.8
SQ 2025.1 LTA
SQ 2025.2
SQ 2025.3
SQ2025.4
25.1.2 Eagle 5.0 (Oct 2025)
⮾
⮾
⮾
⮾
⮾
✓
✓
✓
✓
✓
✓
✓
25.1.1 Eagle 4.0 (July 2025)
⮾
⮾
⮾
⮾
⮾
✓
✓
✓
✓
✓
✓
⮾
25.1.0 Eagle v3.0 (Feb 2025)
✓
✓
✓
✓
✓
✓
✓
✓
✓
⮾
⮾
⮾
24.1.1 Eagle v2.0 (Nov 2024)
✓
✓
✓
✓
✓
✓
✓
⮾
⮾
⮾
⮾
⮾
24.1.0 Eagle (Aug 2024)
✓
✓
✓
✓
✓
✓
⮾
⮾
⮾
⮾
⮾
⮾
CodeScan Tiger + SonarQube Compatibility Matrix
CodeScan Self-Hosted Plug-In
SQ 9.9 LTA
SQ 10.0
SQ 10.1
SQ 10.2
SQ 10.3
25.0.1 Tiger v3.0 (Feb 2025)
✓
✓
✓
✓
✓
24.0.13 Tiger v2.0 (Nov 2024)
✓
✓
✓
✓
✓
24.0.9 Tiger (Sept 2024)
✓
✓
✓
✓
✓
NOTE: All Tiger editions are compatible with SonarQube 9.9 LTA and 10.1-10.3. SonarQube versions 10.4 and above are not supported with the Tiger editions, only the Eagle edition.
CodeScan Prior Versions + SonarQube Compatibility Matrix
CodeScan Self-Hosted Plug-In
SQ 9.9 LTA
SQ 10.0
SQ 10.1
SQ 10.2
24.0.8 (July 2024)
✓
✓
✓
✓
24.0.5 (June 2024)
✓
✓
✓
✓
24.0.4 (April 2024)
✓
✓
✓
✓
24.0.1 (Jan 2024)
✓
✓
✓
✓
23.1.3 (Sept 2023)
✓
✓
⮾
⮾
NOTE: All CodeScan versions 24.0.8 and prior are compatible with the SonarQube versions shown in the matrix above. For SonarQube versions 10.3 and higher, which are not supported by prior versions of CodeScan, upgrading to the Eagle or Tiger editions of CodeScan is necessary.
At [SonarSource.com](https://www.sonarsource.com/), find the latest compatible version with the CodeScan version you are using.
{% hint style="info" %}
**Note:** This [link](https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.9.6.92038.zip?_gl=1*fhgchu*_gcl_au*MjA5Mjk3NjYzNi4xNzIyMjY5Nzg1*_ga*NjMyNjYxNTE5LjE3MjIyNjk3ODQ.*_ga_9JZ0GZ5TC6*MTcyMjI2OTc4My4xLjEuMTcyMjI3MDE3OS4xNC4wLjA.) will take you to the **SonarQube™ 9.9 LTA** download.
{% endhint %}
## CodeScan Downloads & Compatibility Chart
### CodeScan Zip File Download
1. Find the latest compatible CodeScan version and download it from the chart below. Release notes are also provided for your convenience.
CodeScan Eagle Download + Compatibility Chart
{% hint style="info" %}
NOTE: As part of our commitment to providing the best possible products and services, we periodically discontinue support for older software versions. All **CodeScan self-hosted versions below 23.1.1** will reach their **End of Life (EOL)** on **December 31, 2024**.
{% endhint %}
{% hint style="info" %}
**Note:** Keep in mind you need to download a version compatible with your **SonarJS plugin** version. Refer to the [requirement](https://knowledgebase.autorabit.com/codescan/docs/codescan-self-hosted) section for more information.
{% endhint %}
2. You will need to enter your **`License Key`** (to be provided by our Support Team) or a **`Subscription Code.`** For more information on Subscription Codes, click [here](https://knowledgebase.autorabit.com/codescan/docs/what-is-a-subscription-code).\
3. Accept our [Terms of Service](https://www.codescan.io/tos/self-hosted/) and click on the **`Request Download`** button.
4. Extract the ZIP file. It contains the **SonarQube™** plugin and an **ant-based tool** enabling you to run an analysis.
### Plugin Installation
#### Step 1: Download CodeScan file
1. Delete any existing Salesforce plugins from your installation.
2. Ensure your **SonarJS plugin** is compatible with the current CodeScan for Lightning version. Currently the supported release requires **version 6.2+** of the **SonarJS plugin**. Click [here](https://www.codescan.io/products/cloud/#self-hosted) to see alternatives.
#### Step 2: CodeScan JAR file
3. Copy CodeScan downloads JAR files, **`sonar-salesforce-plugin-XXX.jar`** and **`sonar-codescanlang-plugin-XXX.jar`** into your SonarQube™ installation at **/extensions/plugins/**.
4. Place JAR files into your **SonarQube™** file installation at **/extensions/plugins/**.
5. Keep the **SonarQube™** file open for the next steps.
#### Step 3: Start Web Server
6. Lastly, you need to **RUNsonar** to execute the script to **start the server**. In your **SonarQube™ installation file, open, '/bin' folder**, choose **server type**, and **select ‘StartSonar’**. Once rendering is finished, the plugin installation is complete.
### Standard SonarQube™ Setup
**Step 1: Log in to the SonarQube™ self-hosted instance at** [**http://localhost:9000/**](https://localhost:9000/).\
The default System Admin credentials are ***admin/admin***:
**Step 2. Once you've gained access, go to** **`Administrator > Configuration > General Settings`**.
1. Select the **CodeScan tab**.
2. Enter your **CodeScan License Key** in the designated field.
3. Click **Save**.
4. You have successfully completed the **CodeScan self-hosted integration**. See the instructions below on how to integrate this to ARM.
## CodeScan Self-Hosted + ARM Integration
### Overview
This guide will show you how to integrate the CodeScan self-hosted instance with ARM.
### CodeScan Self-Hosted ARM Integration
**Step 1: Generate a SonarQube™ Token**
1. Log in to your SonarQube™ instance.
2. Go to **User > My Account > Security**. Your existing tokens are listed here, each with a **Revoke** button.
3. The form at the bottom of the page allows you to generate new tokens. Once you click the **Generate** button, you will see the token value. **Be sure to copy it immediately; once you dismiss the notification, you will not be able to retrieve it.**
4. This token is used when storing your credentials, such as your username and password, with AutoRABIT.
**Step 2: Store Your SonarQube™ Credentials in ARM**
This initial step is when your **SonarQube™ credentials**, such as your **username** and **password**, are stored in **AutoRABIT.**
1. Log in to your **AutoRABIT account.**
2. Hover your mouse over the **Admin module** and click on the **Credentials tab**.
3. Next, click on **Create Credential** from the right navigation bar.
4. On the next pop-up screen, enter the **Credential Name**.
5. Choose the Credential Type as **Username with Password**.
6. Choose your **Credential Scope**:\
**Global**: Credentials accessible within the team.\
**Private**: Credentials for private use.
7. Enter your **SonarQube™ account username**. For password, use the **copied token** mentioned in **Step 1**.
8. Verify you are using your **SonarQube™ username** instead of the **email address** you use to log in to **SonarQube™**.
9. Click **Save**.
### Setting up Your Quality Profiles
1. In the **SonarQube™** self-hosted instance, click on the **`Quality Profiles`** menu.
2. Make sure you have selected the **`Salesforce Lightning profile`** as the default for both the JavaScript and Visualforce and Lightning languages. This can be done with the settings cog to the right of the profile name.
### Running a Scan
There are a few ways to run your scan. The first is using our **SFDX plugin** (this requires that the [Salesforce CLI](https://developer.salesforce.com/tools/sfdxcli) and the [SFDX CodeScan Plugin](https://www.npmjs.com/package/sfdx-codescan-plugin) be installed).
1. Generate a **token** from the **`My Account > Security`** menu in SonarQube™.
2. Open the command prompt and navigate to:
```
/runner/my-project
```
3. Run the following command:
The [Organization Key](https://knowledgebase.autorabit.com/codescan/docs/finding-your-organization-keys) above will work for the Community edition of SonarQube™ but may need to be edited depending on your setup using a paid edition.
You can also use **Ant** (this requires **Ant version 1.9+**).
{% hint style="info" %}
**Note:** You will need to edit **`antbuild.properties`** if your SonarQube™ installation is different than usual, or if you have a proxy. You can also edit **`/runner/antbuild.xml`** to customize your workflows.
{% endhint %}
### **Running SFDX plugin behind a proxy**
To run the SFDX plugin behind a proxy, you will need to pass all the related information in the parameters of the analysis command.
**Example:**
{% code overflow="wrap" %}
```
sfdx codescan:run --server {instanceurl} --token {TKN} --projectkey {PRJ} --organization {ORG} -J-Dhttp.proxyHost=## -J-Dhttp.proxyPort=## -J-Dhttp.proxyUser=## -J-Dhttp.proxyPassword=## -J-Dhttps.proxyHost=## -J-Dhttps.proxyPort=## -J-Dhttps.proxyUser=## -J-Dhttps.proxyPassword=##
```
{% endcode %}
where,
#### SonarQube™ ant plugin
For more instructions on setting up the **SonarQube™ ant plugin**, see . You should verify that the ant script's steps are appropriate for your requirements.
1. Create a copy of the **`sonar-project-template`** folder in the runner directory of this folder and put it in the same project. Call **`it /runner/my-project`**. Add the following to the **`sonar-project.properties`** file in the **`my-project`** folder.
2. Set **sonar.login=** to a token available from the **`My Account > Security menu`** in SonarQube™.
3. Set **sonar.projectKey=myproject**
4. Set **sonar.projectName=My Project**
5. Set **salesforce.username**, **salesforce.password** and **salesforce.url** to your Salesforce **username/password**. Your Salesforce token must also be appended to the end of your **salesforce.password** parameter.\
**For example:** `salesforce.password=passwordtoken`.
> Setting your *Salesforce username*, *password*, and *URL* is unnecessary if you want to analyze static content. Please use a system administrator user profile for this otherwise you may experience strange errors when downloading the code or executing tests.
6. Open a command prompt and navigate into ***`/runner/my-project`***
7. Run the following command:
ant -f ../antbuild.xml analyse
{% hint style="info" %}
**Note:** If the Anyone group is not granted **Execute Analysis** permission, or if the SonarQube™ instance is secured (**`sonar.forceAuthentication property`** is set to **`true`**), a user whose credentials have **`Execute Analysis`** permission has to be provided through the **`sonar.login`** and **`sonar.password properties`**.
{% endhint %}
### Proxies
* If your network has a proxy, you must pass some more parameters to avoid license errors.
* A guide for this is available [HERE](https://knowledgebase.autorabit.com/codescan/docs/setting-up-codescan-for-use-with-a-proxy).
## Having trouble?
* Read the tutorials
* Check the troubleshooting section
* Contact [Support@autorabit.com](mailto:support@autorabit.com).
