Setting up the integration of your project with your DevOps platform
Once your DevOps platform organization has been imported to SonarQube Cloud, you can create your SonarQube Cloud project by importing your Azure DevOps repository. The so-created SonarQube Cloud project is bound to its DevOps platform repository.
With a bound project, various analysis reporting features are supported on the DevOps platform. This page explains how to set them up.
All DevOps platforms
The following features are supported for your bound project on GitHub, Bitbucket Cloud, GitLab, and Azure DevOps:
- Reporting the quality gate status and analysis metrics to your pull requests in the DevOps platform.
- Blocking the pull request merge if the quality gate fails.
The setup of these features depends on your CI tool and/or DevOps platform. See:
The blocking of pull requests on quality gate failure is not supported for projects on a monorepo.
GitHub (GitHub code scanning alerts)
With the Enterprise plan, the report of the security issues inside the GitHub interface itself as code scanning alerts under the Security tab is supported for bound projects.
This feature is part of the GitHub Advanced Security package and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.
Issue status synchronization
When users change the status of a security issue in the SonarQube interface, the change is immediately reflected in the GitHub interface, and vice versa.
The table below shows the correspondence between SonarQube and GitHub on a status transition. Initially, all vulnerabilities marked Open on SonarQube Cloud are marked Open on GitHub.
| On SonarQube Cloud, a transition to | results in this on GitHub |
|---|---|
| Accept | Won't fix |
| False Positive | False positive |
| Confirm (Deprecated) | Open |
| Fixed (Deprecated) | Open |
| Reopen | Open |
| On GitHub, a transition to | results in this on SonarQube Cloud |
|---|---|
| False positive | False Positive |
| Used in tests | Accept |
| Won't fix | Accept |
| Reopen | Open |
Setting up the report of the security issues
The feature is only available to bound projects. No additional setup is required.
In GitHub, you can configure access to security alerts for your repository.
Bitbucket Cloud
The following features are supported for your bound project:
- Report of the analysis metrics of the main branch in the Bitbucket repository overview.
To enable this feature, you must enable the Repository Overview widget.
- Report of the quality gate status and analysis metrics to your pull requests in Bitbucket Cloud.
No additional setup is required.
For more information about these features, see Viewing and managing issues in your DevOps platform > In Bitbucket Cloud.
Enabling the Repository Overview Widget
- In Bitbuck Cloud, retrieve your project.
- Go to Your Repository > Repository settings > SonarQube Cloud > Settings.
- Select Show repository overview widget.
- If you don't see the widget with quality information, make sure that your browser is not using some extensions like AdBlocks. They tend to break the integration of third-party applications in Bitbucket Cloud.
- The Repository Overview always shows the status for the master branch, even if you select another branch. This is a limitation of the current integration with Bitbucket.
Azure DevOps
The following feature is supported for your bound project:
- Report of the issues detected on a pull request in Azure DevOps. Each issue will be a comment on the Azure DevOps pull request.
The number of comments posted in the timeline of a pull request is limited to 50.
If this limit has been reached, a message will be displayed as a comment, with a link to the rest of the issues on SonarQube Cloud. This comment will not disappear upon resolution of an issue, but only upon a new build, with less than 50 issues remaining.
Related pages
- Creating your project
- Setting project permissions and visibility
- Changing project binding and other parameters
- Customizing the Project Information page
- Deleting your project
- Importing a GitHub organization
- Importing a Bitbucket Cloud workspace
- Importing a GitLab group
- Importing an Azure DevOps organization
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
