# Install sonar-scanner with Homebrew, apk, scoop

Launcher to analyze a project with SonarQube. Version 8.1.0.6389 via Homebrew; verified 2026-04-21.

## Install

```sh
sudo av install brew:sonar-scanner
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install sonar-scanner
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add sonar-scanner
```

  Evidence: Alpine Linux edge package indexes: sonar-scanner from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

### Windows

- Scoop (92%):

```sh
scoop install main/sonar-scanner
```

  Evidence: Scoop official bucket manifest trees: bucket/sonar-scanner.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:sonar-scanner
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/sonar-scanner>
- **Version:** 8.1.0.6389
- **Source summary:** Launcher to analyze a project with SonarQube
- **Homepage:** <https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/>
- **Repository:** <https://github.com/SonarSource/sonar-scanner-cli>
- **Upstream docs:** <https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/scanners/sonarscanner-cli>
- **License:** LGPL-3.0-or-later
- **Source archive:** <https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-8.1.0.6389.zip>
- **Last updated:** 2026-04-21T09:37:00Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- sonar-scanner (cli)
- sonar-scanner (alias)

## Dependencies

- openjdk

## Install behavior

- Post-install hook: not defined
- Bottle: available on all

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 8.1.0.6389
- Package-manager updated: 2026-04-21
- Local data: ok
- Upstream repository: https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

SonarScanner CLI is SonarSource's command-line scanner for running SonarQube Server and SonarQube Cloud code analysis when there is no build-system-specific scanner. It is a CI/CD staple because it turns a checked-out source tree plus `sonar-project.properties` into an analysis uploaded to a Sonar service.

### Project history

The public GitHub repository is the official scanner CLI source tree, and its tags include older 2.x releases. Current SonarSource documentation presents a maintained release line from 4.x through 8.x, with the README stating that project configuration is read from `sonar-project.properties` or passed on the command line.

Notable documented release changes include the 4.3 release using the SonarScanner name in logs, the 4.4 release adding a supported Docker image, the 5.0 release embedding Java 17, the 6.0 release adding a new bootstrapping mechanism and JRE provisioning for SonarQube 10.6+ and SonarCloud, and the 8.0.1 release updating embedded JREs to Java 21.

### Adoption history

The scanner is distributed as OS-specific downloads, a Docker image, a generic JVM zip, and package-manager formulae. Homebrew analytics show tens of thousands of yearly installs, which fits its role as a common CI dependency rather than a library used inside application code.

### How it is used

Users create `sonar-project.properties` in the project root, run `sonar-scanner`, and provide server/project credentials through scanner parameters, CI secrets, or environment configuration rather than a dedicated credentials file. SonarSource warns users to prefer dedicated Maven, Gradle, or .NET scanners for those build systems.

### Why package nerds care

SonarScanner CLI matters to package maintainers because CI images and developer machines need a reproducible scanner binary with the right Java behavior. Changes such as embedded JRE updates, Docker distribution, and auto-provisioning affect whether a package works in minimal runners, corporate networks, and long-lived build pipelines.

### Timeline

- 2019: SonarScanner CLI 4.3 documents use of the SonarScanner name in logs.
- 2020: Version 4.4 adds a supported Docker image.
- 2023: Version 5.0 updates the embedded JRE to Java 17.
- 2024: Version 6.0 adds new bootstrapping and JRE provisioning.
- 2025: Version 7.3 adds z/OS support for scanner execution.
- 2025: Version 8.0.1 updates embedded JREs to Java 21.

### Related projects

- SonarQube Server and SonarQube Cloud receive the analysis results.
- Dedicated SonarScanners exist for Maven, Gradle, and .NET and are recommended for those ecosystems.
- The scanner is also distributed as the official `sonarsource/sonar-scanner-cli` Docker image.

### Sources

- <https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/sonarscanner.md>
- <https://formulae.brew.sh/api/formula/sonar-scanner.json>
- <https://github.com/SonarSource/sonar-scanner-cli>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: sonar-project.properties, ${scanner.home}/conf/sonar-scanner.properties
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** sonar-scanner
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- apk - sonar-scanner - 8.1.0.6389-r0: normalized package name match | Alpine Linux edge package indexes: sonar-scanner from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Scanner CLI for SonarQube and SonarCloud | https://github.com/SonarSource/sonar-scanner-cli
- Scoop - main/sonar-scanner: normalized package name match | Scoop official bucket manifest trees: bucket/sonar-scanner.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Text processing packages](https://www.automicvault.com/pkg/text-processing-tools/) - Matched text, document, or structured-data processing metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [openjdk](https://www.automicvault.com/pkg/brew/openjdk/) - Runtime dependency declared by Homebrew.
- [datadog-static-analyzer](https://www.automicvault.com/pkg/brew/datadog-static-analyzer/) - Shares av.db curated category or tags: ci, cli, code-quality, developer-tools, static-analysis.
- [globstar](https://www.automicvault.com/pkg/brew/globstar/) - Shares av.db curated category or tags: ci, cli, code-quality, developer-tools, static-analysis.
- [staticcheck](https://www.automicvault.com/pkg/brew/staticcheck/) - Shares av.db curated category or tags: ci, cli, code-quality, developer-tools, static-analysis.
- [checkstyle](https://www.automicvault.com/pkg/brew/checkstyle/) - Shares av.db curated category or tags: cli, code-quality, developer-tools, static-analysis.
- [credo](https://www.automicvault.com/pkg/brew/credo/) - Shares av.db curated category or tags: cli, code-quality, developer-tools, static-analysis.
- [detekt](https://www.automicvault.com/pkg/brew/detekt/) - Shares av.db curated category or tags: cli, code-quality, developer-tools, static-analysis.
- [eslint](https://www.automicvault.com/pkg/brew/eslint/) - Shares av.db curated category or tags: cli, code-quality, developer-tools, static-analysis.
- [go-critic](https://www.automicvault.com/pkg/brew/go-critic/) - Shares av.db curated category or tags: cli, code-quality, developer-tools, static-analysis.
- [sonar-scanner](https://www.automicvault.com/pkg/npm/sonar-scanner/) - Same normalized package name appears in another local ecosystem. Shared terms: scanner, sonar, sonar-scanner.
- [pmd](https://www.automicvault.com/pkg/brew/pmd/) - Local package facts share a topical domain. Shared terms: analysis, cli, code, code-quality, developer.
- [sonar-scanner](https://www.automicvault.com/pkg/npm/sonar-scanner/) - Same normalized package name in another local ecosystem.

## Combined YAML source

View the package source record on GitHub. [combined/sonar-scanner.yml](https://github.com/automic-vault/db/blob/main/combined/sonar-scanner.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
