Laravel Code Analysis using SonarQube Docker Container

DevOps automation become a mainstream nowadays, there are plenty of tools available for you to build, deploying and automated testing. SonarQube is one of the tools that empower all developer to write a clean and safer code by inspecting the code base on static code analysis rule.

SonarQube currently supporting 27 most common use programming language such as Java, C#, C++, JS, Typescript, Python, Swife, Go, Cobol, PHP and more. I believe that they will keep improve their product to bring in more supporting programming language from time to time.

You may find a lot of article regarding how to install the SonarQube and scan the code, but in this post, I will share on how to run the SonarQube using the docker container using my local machine and scan it.

This is the step that I will do in this demo:

  1. Pull and run the SonarQube server using docker container
  2. Download the PHP Laravel source code using composer
  3. Pull and run the scan using Sonar Scanner CLI docker container

Installing the SonarQube server in container

First, I will pull and run the docker in the demon mode, map the port of 9000 to the SonarQube container.

docker run -d --name sonarqube \
-p 9000:9000 \

Using the docker ps to check is our SonarQube server container in the running status.

To access the SonarQube server, just browse to the http://localhost:9000 or http://[your ip]:9000 using any web browser.

To login the server, use the default username and password admin:admin

Once login to the SonarQube console, click on create new project to create the first SonarQube project, just give a project key which match your use case, for demo purpose, I just enter the demo-project as my project key.

You will be redirect to this page to get the scanner code, but for this post, I will use another container to run this scanner as I don’t wish to add the bin directory to my PATH environment variable. If you wish to run directly from your local machine, you can continue to add the variable to your machine, use the given sample scanning code to run the scan.

Download the Laravel Framework source code

Next we need to download the Laravel framework to my local machine. There are many way to download and start the PHP Laravel framework. For simplify, I just use the composer to download the code to my local machine.

composer create-project laravel/laravel

Go to the Laravel project root directory, create a text file and named it as, then copy the following code into the file.

sonar.projectName=Example of SonarQube Scanner Usage

# Path to the parent source code directory.

# Language
# We’ve commented this out, because we want to analyze both PHP and Javascript
# sonar.language=php

# Encoding of the source code

# Here, you can exclude all the directories that you don’t want to analyze.
# As an example, I’m excluding the Providers directory
sonar.exclusions=app/Providers/**, vendor/**

Now, our Laravel code is ready for the SonarQube scanning.

Start the SonarQube scanning using docker container

For the Sonar Host URL, just change to your machine IP address, remember not to use http://localhost:9000 or, this is because when the environment variable pass into the container, since the SonarQube server it’s not actually running in the same machine, so it can’t find the SonarQube server, that’s why we need to supply the host machine IP address in order for the scanner CLI to be able to communicate with the SonarQube server.

docker run \
    --rm \
    -e SONAR_HOST_URL="" \
    -v "$(pwd):/usr/src" \

Due to the log is too long, I just print screen the end of the log only. Hence, you can see the scanning is run successfully.

To view the outcome of the scanning, you need to go back to the SonarQube web console at http://localhost:9000, once you login to the console, you will see one scan completed and the status is PASSED, because this is just a default framework code and it’s should be clean and safe.

If your project already have some code inside, you may see some issue here, you may need to fix it base on the recommendation, once all is done, just simply run the scan on the code again to verify the changed.

The following print screen taken by my another project where you can see a lot of bugs and issue found by the SonarQube.

If you wish to try on more difference programming language, you can just download the SonarScan sample at, they provide difference programming language of sample script for you to test run the scan and see the outcome.

As conclusion, this is just an introduction post regarding how you can easily spin up the SonarQube server to scan your project, in production environment, you may want to automate it using your current CI/CD tools to streamline the whole process.

To get more information regarding SonarQube, you may refer to their official website at

Leave a Reply, pub-3772983857049267, DIRECT, f08c47fec0942fa0
%d bloggers like this: