SonarQube plugin to analyze Shell scripts with ShellCheck.
Be aware that this plugin has not been maintained for a while and SonarQube will be/is supporting Shell natively as of SonarQube Server version 2025.6. Please consider using this native plugin instead.
-
SonarQube 7.1+, 8.0+, 9.0+ (tested on 9.1)
-
On the machine that will audit the code:
- ShellCheck 0.4.0 minimum must be installed
- Sonar scanner configured to point to your Sonar server
Tested on Linux.
- Download the ShellCheck plugin
- Copy the plugin JAR file into the
extensions/pluginsdirectory of SonarQube and restart SonarQube - Optional: create a new quality profile to enable some rules (by default, if you do not create a custom profile, all rules are enabled)
- Log in SonarQube
- Create a new quality profile for the Shell language and enable the ShellCheck rules (search with the tag "shell")
- Install ShellCheck and the Sonar scanner on a Linux machine. If needed, you can set the path to the
shellcheckexecutable in the general settings of SonarQube.
-
Prior to executing a code audit, you must create a file
sonar-project.propertiesthat will contain some details about your project (this is a requirement from the Sonar scanner):# must be unique in a given SonarQube instance sonar.projectKey=com.mycompany:my-scripts # this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1. sonar.projectName=A Name sonar.projectVersion=1.0-SNAPSHOT # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. # This property is optional if sonar.modules is set. sonar.sources=. # Encoding of the source code. Default is default system encoding #sonar.sourceEncoding=UTF-8
You just have to do that once. Ideally, add this file along with your scripts in your preferred SCM.
-
Run the Sonar scanner from the directory where you wrote the file
sonar-project.properties:sonar-scanner -
Go to SonarQube and check the result
Subsequent scans will just required the last step to be executed. It can easily be integrated into a continuous integration pipeline.
The version 1.0.0 of this plugin appeared to be incompatible with the other Sonar i-Code CNES plugin that also scans Shell script. If you already have that plugin installed you cannot install and use this ShellCheck plugin (you will have to decide which plugin to run). The issue #1 has been filed to trace this incompatibility problem.
This problem was fixed in version 2.0.0. If you want to run both the Sonar i-Code CNES plugin and the ShellCheck plugin, you must set the following environment variable before starting SonarQube so that only the i-Code CNES Shell language is installed:
export SHELLCHECK_LANGUAGE_ADD=falseYou can also set the property sonar.shell.addlanguage in the file SQ_install_dir/conf/sonar.properties :
sonar.shell.addlanguage=falseIf both variables are defined, the environment variable takes precedence.
For SonarQube 8.0, only the configuration property is available due to a a known bug.