search
Start FreeLogin

Configuring GitHub project binding

Setting up GitHub integration features for your project in SonarQube Cloud.

Once your GitHub organization has been imported to SonarQube Cloud, you can create your SonarQube Cloud project by importing your GitHub repository. The created SonarQube Cloud project is bound to its GitHub repository, see Binding with the DevOps platform for more details. To bind an unbound project, see Binding an unbound project to a repository.

hashtag
Setting up pull request integration

For a bound project, the analysis results summary and issues are reported to your pull requests in GitHub provided:

chevron-rightPreventing the pull request merge if the quality gate failshashtag

SonarQube Cloud adds the quality gate status as a GitHub check. To block pull requests from being merged if it is failing the quality gate, define on your branch a ruleset (recommended) or a protection rule.

hashtag
With a branch ruleset

  1. In GitHub, go to your repository Settings and select Rules > Rulesets under Code and automation.

  2. Create a new branch ruleset (or edit an existing one).

  3. In the Target branches section, select Add a target, and define the name pattern of the branches you want to target. For more information, see the GitHub documentationarrow-up-right.

  4. In the Branch protections section, select Require status checks to pass.

  5. In the additional settings, select Require branches to be up to date before merging.

  6. In Status checks that are required, select Add checks.

  7. Find SonarCloud Code Analysis and add it to the list of required checks.

Select Add checks and add SonarCloud Code Analysis

  1. Terminate the ruleset creation.

hashtag
With a branch protection rule

  1. In GitHub, go to your repository Settings > Branches > Branch protection rules and select either the Add rule or Edit button if you already have a rule on the branch you wish to protect.

  2. Complete the Branch protection rule form:

    • Define the Branch name pattern (the name of the branch you wish to protect)

    • Select Require status checks to pass before merging to open supplementary form fields.

    • In the Search for status checks in the last week for this repository field, select Require branches to be up to date before merging, then find SonarCloud Code Analysis and add it to the list of required checks.

  3. Terminate the protection rule creation.

chevron-rightDisabling the inline annotationshashtag

By default, SonarQube Cloud reports issues on your pull requests as inline annotations. To disable the annotations:

  1. Retrieve your project. See Retrieving projects for more details.

  2. Go to Administration > General Settings > Pull Requests > Issue Annotations.

  3. Unselect Enable Issue Annotations.

chevron-rightDisabling the analysis summary in the Conversation tabhashtag

By default, SonarQube Cloud shows the analysis summary in the Conversation and Checks tab of your GitHub pull requests.

To disable the summary in the Conversation tab:

  1. Retrieve your project. See Retrieving projects for more details.

  2. Go to Administration > General Settings > Pull Requests > Integration with GitHub.

  3. Unselect Enable summary comment.

hashtag
Reporting security issues in GitHub (GitHub code scanning alerts)

With the Enterprise planarrow-up-right, the report of the security issues inside the GitHub interface itself as code scanning alerts under the Security tab is supported for bound projects.

SonarQube Cloud can be enabled to send code scanning alerts to your project in GitHub.

This feature is part of the GitHub Advanced Security packagearrow-up-right and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.

chevron-rightIssue status synchronizationhashtag

When users change the status of a security issue in the SonarQube interface, the change is immediately reflected in the GitHub interface, and vice versa.

The table below shows the correspondence between SonarQube and GitHub on a status transition. Initially, all vulnerabilities marked Open on SonarQube Cloud are marked Open on GitHub.

On SonarQube Cloud, a transition to

results in this on GitHub

Accept

Won’t fix

False Positive

False positive

Confirm (Deprecated)

Open

Fixed (Deprecated)

Open

Reopen

Open

On GitHub, a transition to

results in this on SonarQube Cloud

False positive

False Positive

Used in tests

Accept

Won’t fix

Accept

Reopen

Open

chevron-rightSetting up the report of the security issueshashtag

The feature is only available to bound projects. No additional setup is required.

circle-info

In GitHub, you can configure access to security alerts for your repositoryarrow-up-right.

hashtag
Related pages

hashtag
Related online learning

PreviousIntroductionNextConfiguring Bitbucket Cloud project binding

Last updated

Was this helpful?