How to Use SonarQube for Static Code Analysis in .NET Core – Windows ASP.NET Core Hosting 2024 | Review and Comparison

Whether it’s your codebase or someone else’s you’re going to build on, SonarQube can quickly and easily highlight quality and security issues without having to eyeball every line of code yourself.

The easiest way I’ve found to get SonarQube up and running is to use Bitnami’s docker-compose solution which looks all of;

curl -LO
docker-compose up

Troubleshooting startup

Ideally it should Just Work™, but I had some smaller hurdles that needed to be traversed. When you see this line in the logs, be prepared to wait a little;

sonarqu INFO ==> Starting app...

On Windows this took a few minutes for me, but when I switched over to WSL2 it took five minutes and then stopped the container with;

sonarqu ERROR Pattern SonarQube is up was not found in SonarQube log: Error: Log entry not found after 300 s

There’s a GitHub issue which goes on to say for a number of possible reasons that the container did not finish booting properly.

To see what the SonarQube container is doing while it’s booting you can monitor the log using the following command;

docker exec -it <containerId> tail -f /opt/bitnami/sonarqube/logs/sonar.log

In my case it looked as though Elastic Search (part of the SonarQube container) wasn’t coming up so I yolo’d the following and the problem was solved.

sudo sysctl -w vm.max_map_count=262144 && sudo sysctl -w fs.file-max=65536

Once it’s up you can browse to http://localhost:80 and log in with admin/bitnami creds. You’ll want to Create project which will also let you create a token – we’ll continue below with these by scanning our source.


SonarQube requires that all projects you intend to scan are part of a Solution file, so add them to one if not already. You’ll also need the scanner tool, which can be installed for dotnet core like so;

dotnet tool install --global dotnet-sonarscanner

If you are scanning a .NET Framework solution, then check the docs for that here.

dotnet sonarscanner begin /k:digital-icebreakers /d:sonar.login=<myToken> /
dotnet build
dotnet sonarscanner end /d:sonar.login=<myToken>

The result took 1m21s to scan and analyse 18k lines of code. Digital Icebreakers is mostly React (TypeScript) so the breakdown looks like this;

LanguageLines of Code

Excluding files

A large chunk of the above, notably the CSS and associated issues, are in fact from 3rd party static files I have sitting in ClientApp/public. I can configure the scanner to ignore these by altering the begin scan command I used above. The following command will exclude everything under ClientApp/public and the resulting image shows a significant decrease in issues once this irrelevant code is ignored.

dotnet sonarscanner begin /k:digital-icebreakers /d:sonar.login=<myToken> / /d:sonar.coverage.exclusions="**/ClientApp/public/*"
LanguageLines of Code


In under thirty minutes you can be investigating technical debt, security vulnerabilities, test coverage, code duplication and other refactoring and bug fixing opportunities with SonarQube.