Qodana 2025.2 Help

Analyze changes

Using Qodana, you can not only scan your entire codebase, but also run analysis on change sets like merge or pull requests, as well as analyze changes between two commits.

Configuration samples on this page contain <GIT_START_HASH> and <GIT_END_HASH> to denote the hashes of the earliest and latest commits that should be included in a change analysis. For example:

commit 7a3f9f8e6b3a487f7e8e7f8a7f8e (HEAD -> main) <--- GIT_END_HASH | Author: Your Name <your.email@example.com> | Date: Mon Oct 3 12:34:56 2024 +0200 | | The latest commit | * commit 2b4c8d9e6a3b486f7e9e8f8b8f8 | Author: Your Name <your.email@example.com> | Date: Mon Oct 2 12:30:00 2024 +0200 | | The second commit | * commit 5d6e9f0e7b4c587f8e0e9f0a9f0 <--- GIT_START_HASH | Author: Your Name <your.email@example.com> | Date: Mon Oct 1 12:25:00 2024 +0200 | | The earliest commit

The QODANA_TOKEN variable refers to a project token value.

Analyze pull and merge requests

If you just finished work and would like to analyze the changes, you can employ the --diff-start option and specify a hash of the commit that will act as a base for comparison:

To run Qodana CLI in the default mode, you must have Docker or Podman installed and running locally. If you are using Linux, you should be able to run Docker under your current non-root user. Use this command to run Qodana CLI:

qodana scan \    -e QODANA_TOKEN="<cloud-project-token>" \    --diff-start=<GIT_START_HASH>

In GitHub Actions, the --diff-start can be omitted because it will be added automatically while running Qodana, so you can follow this procedure:

  1. On the Settings tab of the GitHub UI, create the QODANA_TOKEN encrypted secret and save the project token as its value.

  2. On the Actions tab of the GitHub UI, set up a new workflow and create the .github/workflows/code_quality.yml file.

  3. Add this snippet to the .github/workflows/code_quality.yml file:

    name: Qodana on: workflow_dispatch: pull_request: push: branches: # Specify your branches here - main # The 'main' branch - 'releases/*' # The release branches jobs: qodana: runs-on: ubuntu-latest permissions: contents: write pull-requests: write checks: write steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis - name: 'Qodana Scan' uses: JetBrains/qodana-action@v2025.2 env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

Make sure that your project repository is accessible to GitLab CI/CD.

In the root directory of your project, save the .gitlab-ci.yml file containing the following snippet:

include: - component: $CI_SERVER_FQDN/qodana/qodana/qodana-gitlab-ci@v2025.2 inputs: args: --image,<image>

This configuration by default enables merge request analysis. To override the default behavior, you can use the following configuration:

include: - component: $CI_SERVER_FQDN/qodana/qodana/qodana-gitlab-ci@v2025.2 inputs: args: --image,<image>   qodana:   rules:     # GIT_DEPTH: 0 is required for checkout in case Qodana works in merge request mode     # (reports issues that appeared only in that merge request)     - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $QODANA_MR_MODE == "true"       variables:         GIT_DEPTH: 0     # run analysis in case of merge request     - if: $CI_PIPELINE_SOURCE == "merge_request_event"     # restrict branch analysis only to main/master and release branches     - if: $CI_COMMIT_BRANCH =~ /^releases/ || $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "main"       # mr-mode does not make any sense for branch analysis       variables:         QODANA_MR_MODE: false
docker run \    -v $(pwd):/data/project/ \    -e QODANA_TOKEN="<cloud-project-token>" \    jetbrains/qodana-<image> \    --diff-start=<GIT_START_HASH>

Analyze changes between two commits

To analyze a set of changes between two commits, employ both --diff-start and --diff-end options:

To run Qodana CLI in the default mode, you must have Docker or Podman installed and running locally. If you are using Linux, you should be able to run Docker under your current non-root user. Use this command to run Qodana CLI:

qodana scan \    -e QODANA_TOKEN="<cloud-project-token>" \    --diff-start=<GIT_START_HASH> \    --diff-end=<GIT_END_HASH>

  1. On the Settings tab of the GitHub UI, create the QODANA_TOKEN encrypted secret and save the project token as its value.

  2. On the Actions tab of the GitHub UI, set up a new workflow and create the .github/workflows/code_quality.yml file.

  3. Add this snippet to the .github/workflows/code_quality.yml file:

    name: Qodana on: workflow_dispatch: pull_request: push: branches: # Specify your branches here - main # The 'main' branch - 'releases/*' # The release branches jobs: qodana: runs-on: ubuntu-latest permissions: contents: write pull-requests: write checks: write steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis - name: 'Qodana Scan' uses: JetBrains/qodana-action@v2025.2 with: args: --diff-start,<GIT_START_HASH>,--diff-end,<GIT_END_HASH> env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

Make sure that your project repository is accessible to GitLab CI/CD.

In the root directory of your project, save the .gitlab-ci.yml file containing the following snippet:

include: - component: $CI_SERVER_FQDN/qodana/qodana/qodana-gitlab-ci@v2025.2 inputs: args: --diff-start,$CI_MERGE_REQUEST_TARGET_BRANCH_SHA,--diff-end,$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA,--image,<image>
docker run \    -v $(pwd):/data/project/ \    -e QODANA_TOKEN="<cloud-project-token>" \    jetbrains/qodana-<image> \    --diff-start=<GIT_START_HASH> \    --diff-end=<GIT_END_HASH>
18 August 2025
Analyze Python codeDetect hard-coded passwords