Setting up the integration of your project with GitHub
Once your GitHub organization has been imported to SonarQube Cloud, you can create your SonarQube Cloud project by importing your GitHub repository. The so-created SonarQube Cloud project is bound to its GitHub repository.
With a bound project, various analysis reporting features are supported in GitHub. This page explains how to set them up.
Reporting the quality gate status and analysis metrics to your pull requests in GitHub
For a bound project, the quality gate status and analysis metrics are reported to your pull requests in GitHub. No additional setup is necessary.
Preventing the pull request merge if the quality gate fails
The setup of this feature depends on your CI tool. See:
The blocking of pull requests on quality gate failure is not supported for projects on a monorepo.
Reporting security issues in GitHub (GitHub code scanning alerts)
With the Enterprise plan, the report of the security issues inside the GitHub interface itself as code scanning alerts under the Security tab is supported for bound projects.
This feature is part of the GitHub Advanced Security package and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.
Issue status synchronization
When users change the status of a security issue in the SonarQube interface, the change is immediately reflected in the GitHub interface, and vice versa.
The table below shows the correspondence between SonarQube and GitHub on a status transition. Initially, all vulnerabilities marked Open on SonarQube Cloud are marked Open on GitHub.
| On SonarQube Cloud, a transition to | results in this on GitHub |
|---|---|
| Accept | Won't fix |
| False Positive | False positive |
| Confirm (Deprecated) | Open |
| Fixed (Deprecated) | Open |
| Reopen | Open |
| On GitHub, a transition to | results in this on SonarQube Cloud |
|---|---|
| False positive | False Positive |
| Used in tests | Accept |
| Won't fix | Accept |
| Reopen | Open |
Setting up the report of the security issues
The feature is only available to bound projects. No additional setup is required.
In GitHub, you can configure access to security alerts for your repository.
Related pages
- Getting started with GitHub
- Importing your GitHub organization or personal account
- Creating your project
- Analyzing your repository with GitHub Actions
- Setting project permissions and visibility
- Changing project binding and other parameters
- Customizing the Project Information page
- Deleting your project
- Viewing and managing issues in GitHub
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
