Start FreeLog in
SonarQube Cloud | Managing your project | Administering your project | DevOps platform integration | GitHub

Setting up the integration of your project with GitHub

On this page

Once your GitHub organization has been imported to SonarQube Cloud, you can create your SonarQube Cloud project by importing your GitHub repository. The so-created SonarQube Cloud project is bound to its GitHub repository. To bind an unbound project, see Changing the project binding.

Setting up the pull request integration

For a bound project, the quality gate status and analysis metrics are reported to your pull requests in GitHub. 

For an automatic analysis, no additional setup is necessary.

For a CI-based analysis:

  • Make sure your build script is configured to build on pull request creation and push. 
  • If you don't use an integrated CI tool, you must set up the pull request parameters manually: see Pull request analysis in Analysis parameters.
  • See also Prerequisites for CI-based analysis in Pull request analysis.
Preventing the pull request merge if the quality gate fails

SonarQube Cloud adds the quality gate status as a GitHub check. You can define a branch protection rule on your branch in GitHub and add this check to the required status checks before merging. This way, users won't be able to merge a pull request into the protected branch as long as the quality gate status is red. 

Enabling the summary comment in the Converstion tab
  1. Retrieve your project.
  2. Go to Administration > General Settings > Pull Requests > Integration with GitHub.
  3. Select Enable summary comment.

Reporting security issues in GitHub (GitHub code scanning alerts)

With the Enterprise plan, the report of the security issues inside the GitHub interface itself as code scanning alerts under the Security tab is supported for bound projects.

Security alerts in Github

This feature is part of the GitHub Advanced Security package and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.

Issue status synchronization

When users change the status of a security issue in the SonarQube interface, the change is immediately reflected in the GitHub interface, and vice versa. 

The table below shows the correspondence between SonarQube and GitHub on a status transition. Initially, all vulnerabilities marked Open on SonarQube Cloud are marked Open on GitHub. 

On SonarQube Cloud, a transition to results in this on GitHub
AcceptWon't fix
False PositiveFalse positive
Confirm (Deprecated)Open
Fixed (Deprecated)Open
ReopenOpen
On GitHub, a transition to results in this on SonarQube Cloud
False positiveFalse Positive
Used in testsAccept
Won't fixAccept
ReopenOpen
Setting up the report of the security issues

The feature is only available to bound projects. No additional setup is required.


Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved.

Creative Commons License