Do not execute Sonar, when your project is in inconsistent state
You shouldn't analyse your project, if it cannot be built without Sonar, i.e. source code was not retrieved fully from a version control system, dependencies can't be resolved, compilation failed and so on. Otherwise you will receive incomplete or inconsistent analysis, e.g. because bytecode was not available.
Best practice - execute Sonar on a regular basis and not manually
Depending on loading of your CI server you can execute Sonar for each change in a version control system or preferably on a daily basis.
Do not save credentials in configuration files of your project
This includes credentials for Sonar database. And this is a kind of security vulnerability, since those files typically placed into version control system, so might be available for undesired people. Instead of this - you should pass those configuration via command-line.
