How to Install and Use SonarQube with Docker for Code Quality Analysis

SonarQube is an open‑source platform for managing code quality, detecting bugs, vulnerabilities, and coding standard violations across more than 30 programming languages. It integrates with CI tools such as GitLab and Jenkins, storing analysis results in a database and presenting them via web reports.

Key Advantages

Supports over 30 languages.

Plugin architecture integrates with IDEs, Jenkins, Git, etc.

Built‑in rules for common code checks.

Custom rule development is possible.

Analyzes reliability, security, maintainability, coverage, duplication, and more.

Core Architecture

Database layer : stores all quality metrics.

Application layer : Java‑based web services for data collection, analysis, and reporting.

Plugin layer : extensible with additional functionality.

Data collection layer : connectors for SVN, Git, Mercurial, ClearCase, etc.

Docker Installation

Pull the latest Community Edition image: docker pull sonarqube:latest Run the container (host port 9999 mapped to container 9000 because 9000 was occupied locally):

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9999:9000 sonarqube:latest

Open http://localhost:9999/ and log in with default credentials admin / admin, then change the password (example: 123465).

Creating a Project and Configuring Sonar‑Scanner

Create a project named php-tinywan in the SonarQube UI, generate an access token, and add a local code repository.

Run the scanner using Docker, mounting cache and source directories and passing required environment variables:

docker run \
    --rm \
    -v "D:/sonarqube/cache:/opt/sonar-scanner/.sonar/cache" \
    -e SONAR_HOST_URL="http://192.168.3.88:9999" \
    -e SONAR_SCANNER_OPTS="-Dsonar.projectKey=php-tinywan" \
    -e SONAR_TOKEN="sqp_5c64cc44db453555eb23c24ce841ffbb451a944e" \
    -v "D:/sonarqube:/usr/src" \
    sonarsource/sonar-scanner-cli

Analyzing Scan Results – Real Cases

Case 1: Unreachable Code

A PHP function contains a branch that always throws an exception, making the following return statement unreachable. SonarQube flags this as a New Bug and suggests deleting or refactoring the dead code.

<?php
function tinywan(){
    $aa = 2024;
    if($aa > 0){
        throw new Exception('这是一个异常');
    } else {
        return $aa;
    }
    // unreachable code
    return '开源技术小栈';
}
var_dump(tinywan());

Case 2: Using the Result of a Void Function

A function prints values but returns nothing; assigning its result to a variable triggers a bug warning because the output is meaningless.

<?php
function test(){
    $arr = [2024,2025,2026,2027,2028,2029,2030];
    while(count($arr) > 0){
        echo array_pop($arr) . PHP_EOL;
    }
    if(count($arr) > 0){
        echo 'This line will never execute';
    }
}
$result = test();
var_dump($result);

Case 3: Unused Function Parameter

Scanning a simple project reveals an unused parameter $iv. SonarQube recommends removing it to improve readability and avoid confusion.

Conclusion

SonarQube, when deployed via Docker and combined with the Sonar‑Scanner, provides automated detection of bugs such as dead code, misuse of void functions, and unused parameters, helping teams maintain high code quality throughout the development lifecycle.