Setting up GitHub integration for your project
With a bound project, SonarQube Cloud offers numerous analysis reporting features that are supported in GitHub. This page explains how to set them up.
Once your GitHub organization has been imported to SonarQube Cloud, you can create your SonarQube Cloud project by importing your GitHub repository. The created SonarQube Cloud project is bound to its GitHub repository, see Binding with the DevOps platform for more details. To bind an unbound project, see Binding an unbound project to a repository.
Setting up pull request integration
For a bound project, the analysis results summary and issues are reported to your pull requests in GitHub provided:
Your build script is configured to build on pull request creation and push.
If you don't use an integrated CI tool, you must set up the pull request parameters manually, see Analysis parameters for more details.
See Prerequisites for CI-based analysis for more details
Preventing the pull request merge if the quality gate fails
SonarQube Cloud adds the quality gate status as a GitHub check. You can define a branch protection rule on your branch in GitHub and add this check to the required status checks before merging. This way, users won't be able to merge a pull request into the protected branch as long as the quality gate status is red.
The blocking of pull requests on quality gate failure is not supported for projects on a monorepo.
Disabling the inline annotations
By default, SonarQube Cloud reports issues on your pull requests as inline annotations. To disable the annotations:
Retrieve your project. See Retrieving projects for more details.
Go to Administration > General Settings > Pull Requests > Issue Annotations.
Unselect Enable Issue Annotations.
Disabling the analysis summary in the Conversation tab
By default, SonarQube Cloud shows the analysis summary in the Conversation and Checks tab of your GitHub pull requests.
To disable the summary in the Conversation tab:
Retrieve your project. See Retrieving projects for more details.
Go to Administration > General Settings > Pull Requests > Integration with GitHub.
Unselect Enable summary comment.
Reporting security issues in GitHub (GitHub code scanning alerts)
With the Enterprise plan, the report of the security issues inside the GitHub interface itself as code scanning alerts under the Security tab is supported for bound projects.
This feature is part of the GitHub Advanced Security package and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.
Issue status synchronization
When users change the status of a security issue in the SonarQube interface, the change is immediately reflected in the GitHub interface, and vice versa.
The table below shows the correspondence between SonarQube and GitHub on a status transition. Initially, all vulnerabilities marked Open on SonarQube Cloud are marked Open on GitHub.
On SonarQube Cloud, a transition to
results in this on GitHub
Accept
Won’t fix
False Positive
False positive
Confirm (Deprecated)
Open
Fixed (Deprecated)
Open
Reopen
Open
On GitHub, a transition to
results in this on SonarQube Cloud
False positive
False Positive
Used in tests
Accept
Won’t fix
Accept
Reopen
Open
Setting up the report of the security issues
The feature is only available to bound projects. No additional setup is required.
In GitHub, you can configure access to security alerts for your repository.
Related pages
Last updated
Was this helpful?