SonarQube Cloud | Administering SonarQube Cloud | AI features | Autodetect AI code

Setting up AI code autodetection

Knowing if your project contains AI-generated code helps raise awareness of code ownership and code security. To help build this awareness, SonarQube Cloud can autodetect AI-generated code in projects using GitHub Copilot. If turned on, the feature alerts Project Admins when project contributors recently used GitHub Copilot so that such projects can be protected with Sonar’s AI Code Assurance.

Autodetect AI-Generated Code is turned on by default in SonarQube Cloud, but your GitHub App must have the appropriate permissions in order to allow communication with SonarQube Cloud.

Requirements

The Autodetect AI-Generated Code feature is turned on by default in SonarQube Cloud. See the instructions below to manage feature activation at the global and project levels.
Your Copilot Business subscription must be associated with the GitHub organization you have bound to SonarQube Cloud. Note that your project does not need to be bound to Github.
A GitHub Project Admin must enable access from your GitHub App. The autodetection feature will not function without giving SonarQube Cloud correct access to the Copilot Business permission setting.

Autodetecting AI code

With access to your GitHub App, SonarQube Cloud can evaluate users' GitHub Copilot usage and code contribution patterns to identify potential AI-generated code. If there is a match in user data between your SonarQube Cloud organization and your GitHub organization running GitHub Copilot, SonarQube Cloud will display the AI code detected status on the project’s Overview page, and add a note on the Project Information page that your project may contain AI-generated code.

SonarQube Cloud does not retroactively check older code from previous commits. In addition, projects that have the $contains-ai-code label applied by a Quality Standard administrator will be excluded from automatic AI code detection.

Ensure that the GitHub organization with the Copilot Business subscription is bound with SonarQube Cloud.

To activate Autodetect AI-generated Code in SonarQube Cloud, follow these three steps:

Step 1: Manage AI autodetection in SonarQube Cloud

Autodetect AI-generated Code can be managed at the global and project levels:

At the global level, go to Administration > Autodetect AI-generated Code and select or deselect Autodetect AI-generated Code. The setting is turned on by default.
At the project level, go to Your Organization > Your Project > Administration > AI Code Assurance > Autodetect AI-generated Code in this project and select or deselect Autodetect AI-generated code. When activated at the global level, the setting is turned on by default.

Step 2: Enable your GitHub integration

As mentioned above, the Autodetect AI-generated Code feature relies on user login information from your GitHub organization’s usage statistics in GitHub Copilot.

When Autodetect AI-generated code is activated, your GitHub Project Admin will receive an email asking to accept SonarQube Cloud’s access in your Copilot Business app. The GitHub admin will be given a Developer note pointing them to a Community post that refers readers to this page in our documentation. The GitHub admin must select Accept new permissions for autodetection to work.

In addition, if you’ve restricted traffic to your GitHub enterprise with an IP allow list, you must either choose to automatically allow access by GitHub Apps, or manually configure the SonarQube Cloud app by using our IP whitelist.

Because GitHub administrators manage SonarQube Cloud’s permission levels in GitHub Copilot Business, they can disable AI Code Autodetection for your SonarQube organization. However, they cannot effectively enable the feature in SonarQube Cloud without the correct Permission Type.

Step 3: Rescan your project

After completing steps 1 and 2, you must rescan your project so SonarQube Cloud can communicate with your DevOps platform and compare user login information.

With the requirements satisfied, SonarQube Cloud will check for the presence of AI-generated code each time an analysis is performed. Projects containing autodetected code will display the AI code detected status on the project’s Overview and Project Information pages.

If Autodetect AI-generated Code is turned off on a project containing autodetected code, the AI code detected status will be displayed until the next analysis is run.

Overview of SonarCloud's AI capabilities
Using AI CodeFix to get AI-generated fix suggestions
To learn about AI Code Assurance:

Was this page helpful?

Setting up AI code autodetection

On this page

.css-215hmj{position:relative;--tw-text-opacity:1;color:rgb(0 0 0 / var(--tw-text-opacity, 1));}Requirements.css-abpesc{width:2rem;display:none;margin-left:0.5rem;fill:#5F656D;}.css-abpesc:hover{fill:#290042;}

Autodetecting AI code

Step 1: Manage AI autodetection in SonarQube Cloud.css-p7dib0{width:1.75rem;display:none;margin-left:0.5rem;fill:#5F656D;}.css-p7dib0:hover{fill:#290042;}

Step 2: Enable your GitHub integration

Step 3: Rescan your project

Related pages

Requirements

Step 1: Manage AI autodetection in SonarQube Cloud