Skip to content


Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time
Nov 22, 2018
Nov 22, 2018
Nov 22, 2018
Nov 15, 2021

ShellCheck SonarQube Plugin

Apache License, Version 2.0, January 2004 Maven Central Build Status Sonarcloud Status Sonarcloud Status

SonarQube plugin to analyze Shell scripts with ShellCheck.


  • SonarQube 7.1+, 8.0+, 9.0+ (tested on 9.1)

  • On the machine that will audit the code:

Tested on Linux.


  1. Download the ShellCheck plugin
  2. Copy the plugin JAR file into the extensions/plugins directory of SonarQube and restart SonarQube
  3. Optional: create a new quality profile to enable some rules (by default, if you do not create a custom profile, all rules are enabled)
    1. Log in SonarQube
    2. Create a new quality profile for the Shell language and enable the ShellCheck rules (search with the tag "shell")
  4. Install ShellCheck and the Sonar scanner on a Linux machine. If needed, you can set the path to the shellcheck executable in the general settings of SonarQube.


  1. Prior to executing a code audit, you must create a file that will contain some details about your project (this is a requirement from the Sonar scanner):

    # must be unique in a given SonarQube instance
    # this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1.
    sonar.projectName=A Name
    # Path is relative to the file. Replace "\" by "/" on Windows.
    # This property is optional if sonar.modules is set.
    # Encoding of the source code. Default is default system encoding

    You just have to do that once. Ideally, add this file along with your scripts in your preferred SCM.

  2. Run the Sonar scanner from the directory where you wrote the file

  3. Go to SonarQube and check the result

Subsequent scans will just required the last step to be executed. It can easily be integrated into a continuous integration pipeline.

Known issues

Plugin not compatible with the Sonar i-Code CNES plugin

The version 1.0.0 of this plugin appeared to be incompatible with the other Sonar i-Code CNES plugin that also scans Shell script. If you already have that plugin installed you cannot install and use this ShellCheck plugin (you will have to decide which plugin to run). The issue #1 has been filed to trace this incompatibility problem.

This problem was fixed in version 2.0.0. If you want to run both the Sonar i-Code CNES plugin and the ShellCheck plugin, you must set the following environment variable before starting SonarQube so that only the i-Code CNES Shell language is installed:


You can also set the property in the file SQ_install_dir/conf/ :

If both variables are defined, the environment variable takes precedence.

For SonarQube 8.0, only the configuration property is available due to a a known bug.


SonarQube plugin to analyze Shell scripts with ShellCheck