Where does sonar-project.properties live?

Place it in the root of the repository you scan, next to package.json. The SonarScanner CLI reads it from the working directory automatically, so no extra flags are needed for the listed keys.

Do I need the organization key?

Only for SonarCloud, where sonar.organization is required. For a self-hosted SonarQube server you leave it blank — the project key and host URL are enough.

How does coverage import work?

SonarQube does not run your tests; it imports a coverage report your CI already produced. For JS/TS that is an LCOV file, for Python a coverage.xml, and for Java a JaCoCo XML report. The builder writes the matching property for your language.

What format do exclusions use?

Comma-separated Ant-style globs relative to the project base. For example **/node_modules/** or **/*.spec.ts. Files matching sonar.exclusions are skipped during analysis.

Can I keep secrets out of this file?

Yes. Never put the authentication token in sonar-project.properties. Pass it at scan time with the SONAR_TOKEN environment variable or the -Dsonar.login flag instead.

sonar-project.properties Builder

SonarQube project configuration in one file

SonarQube and SonarCloud read a small properties file from the root of your repository to learn what to scan. This tool generates that sonar-project.properties from a few fields: the unique project key, source and test paths, exclusion globs, and the coverage report location for your language.

How it works

The SonarScanner CLI looks for sonar-project.properties in its working directory and parses key=value lines. The required keys are sonar.projectKey plus a server connection (sonar.host.url, and sonar.organization on SonarCloud). Analysis scope comes from sonar.sources and sonar.tests, both comma-separated directory lists, while sonar.exclusions removes matching files using Ant-style globs such as **/dist/**.

SonarQube never executes your tests. Instead it imports a coverage report your CI already generated, so the property name depends on the language. JavaScript and TypeScript use sonar.javascript.lcov.reportPaths pointing at an LCOV file; Python uses sonar.python.coverage.reportPaths; Java uses sonar.coverage.jacoco.xmlReportPaths. The builder emits the correct property for the language you select.

Tips and example

Keep the authentication token out of this file — pass it as the SONAR_TOKEN environment variable when you run the scanner. A minimal SonarCloud file looks like this:

sonar.projectKey=com.example:my-app
sonar.organization=my-org
sonar.host.url=https://sonarcloud.io
sonar.sources=src
sonar.tests=test
sonar.exclusions=**/node_modules/**,**/*.spec.ts
sonar.sourceEncoding=UTF-8
sonar.javascript.lcov.reportPaths=coverage/lcov.info

Run coverage in CI before the scan so the LCOV file exists when SonarScanner imports it.

sonar-project.properties Builder

Email me this result

SonarQube project configuration in one file

How it works

Tips and example