Sonarsource comes in 2 flavors; Sonarcloud (cloud based solutions) and Sonarqube (self-managed). Only the Enterprise plan of both the self-managed and cloud solution contains the support for analyzing Apex code (in addition to vanilla Javascript)

It is possible to import external SARIF reports to Sonar. SARIF stands for Static Analysis Results Interchange Format and the Salesforce Code Analyzer can output the analysis in this format

Salesforce Code Analyzer includes several different analysis engines which can be used simultaneously during analysis. It also includes so called graph engine for more complex analysis. In future releases it will also include analysis of Flows

For more see Github project: GitHub – forcedotcom/sfdx-scanner and roadmap: Salesforce Code Analyzer Roadmap • forcedotcom

Sonarqube Community Edition does not support scanning of Apex code (PMD) or LWC (eslint-lwc) and the enterprise version supports only PMD anyway. Also the community edition does not support branch analysis or pull request decoration but both of those can be achieved with following plugin:
GitHub – mc1arke/sonarqube-community-branch-plugin: A plugin that allows branch analysis and pull request decoration in the Community version of Sonarqube

Verified with following versions

• Salesforce Code Analyzer, v4.3.2
• Sonar Scanner, v6.1.0.4477
• Sonarqube Community Edition, v10.6 (92116)
• Sonarqube Community Branch Plugin, v1.21

Salesforce Code Analyzer

It is possible to run multiple scanning engines with code analyzer. If enabling both eslint and eslint-lwc might produce duplicate issues.

Code analyzer also supports more complex data-flow analysis of code where the code base is analyzed as a whole and not as individual files. Read more here. Graph engine is enabled by adding dfa to the list of enabled engines. Note that on large code bases it will consume a lot of memory and will be quite slow

sf scanner run \ 
--target src \ 
--engine pmd, eslint-lwc \ 
--pmdconfig pmd_ruleset.xml \ 
--format sarif \
--outfile sarif_report.sarif

The output of running the above command will produce the sarif_report.sarif file with the issues in src folder. This file will be used when running the sonar-scanner to import the issues to sonarqube

In the future the analyzer will be updated to support flows also, see product roadmap here: Salesforce Code Analyzer Roadmap • forcedotcom

PMD Config

Using the --pmdconfig flag in sf scanner it is possible to customize the rules that are run. For more see: PMD Customization. If omitted all PMD rules are enabled

Sonar scanner

Example of branch / pull request analysis, this is usually run when making new changes which are merged to main branch

./sonar-scanner \
-Dsonar.token=XXXXX \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.pullrequest.base=main \
-Dsonar.pullrequest.branch=feature/ticket3 \ 
-Dsonar.pullrequest.key=102 -Dsonar.projectKey=demo-project 
-Dsonar.sarifReportPaths=sarif_report.sarif

Example of main branch analysis

./sonar-scanner \ 
-Dsonar.token=XXXXX 
-Dsonar.host.url=http://localhost:9000 
-Dsonar.branch.name=main 
-Dsonar.projectKey=demo-project 
-Dsonar.sarifReportPaths=sarif_report.sarif

Sonarqube

Sonarqube shows the issues imported by Salesforce Code Analyzer as if they were scanned with the inbuilt scanner

Pull request decoration

In Bitbucket the pull request is decorated with a link to Sonarqube

and when clicking the link you can see the issues and some statistics in Bitbucket and navigate to the full report in Sonarqube