# Configuring GitHub project binding

Once your GitHub organization has been imported to SonarQube Cloud, you can create your SonarQube Cloud project by importing your GitHub repository. The created SonarQube Cloud project is bound to its GitHub repository, see [binding-with-dop](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/about-sonarqube-cloud-solution/resources-structure/binding-with-dop "mention") for more details. To bind an unbound project, see [#binding-an-unbound-project-to-a-repository](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/changing-binding#binding-an-unbound-project-to-a-repository "mention").

## Setting up pull request integration

For a bound project, the analysis results summary and issues are reported to your pull requests in GitHub provided:

* Your build script is configured to build on pull request creation and push.
* If you don't use an integrated CI tool, you must set up the pull request parameters manually, see [#pull-request-analysis](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/analysis-parameters#pull-request-analysis "mention") for more details.
* See [#prerequisites-for-ci-based-analysis](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/pull-request-analysis#prerequisites-for-ci-based-analysis "mention") for more details

<details>

<summary>Preventing the pull request merge if the quality gate fails</summary>

SonarQube Cloud adds the quality gate status as a GitHub check. To block pull requests from being merged if it is failing the quality gate, define on your branch a ruleset (recommended) or a protection rule.

#### With a branch ruleset <a href="#with-a-branch-ruleset" id="with-a-branch-ruleset"></a>

1. In GitHub, go to your repository **Settings** and select **Rules** > **Rulesets** under **Code and automation**.
2. Create a new branch ruleset (or edit an existing one).
3. In the **Target branches** section, select **Add a target**, and define the name pattern of the branches you want to target. For more information, see the [GitHub documentation](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository).
4. In the **Branch protections** section, select **Require status checks to pass.**
5. In the additional settings, select **Require branches to be up to date before merging.**
6. In **Status checks that are required**, select **Add checks**.
7. Find  `SonarCloud Code Analysis` and add it to the list of required checks.

<figure><img src="broken-reference" alt="Select Add checks and add SonarCloud Code Analysis"><figcaption></figcaption></figure>

8. Terminate the ruleset creation.

#### With a branch protection rule <a href="#with-a-branch-protection-rule" id="with-a-branch-protection-rule"></a>

1. In GitHub, go to your repository **Settings** > **Branches** > **Branch protection rules** and select either the **Add rule** or **Edit** button if you already have a rule on the branch you wish to protect.
2. Complete the **Branch protection rule** form:
   * Define the **Branch name pattern** (the name of the branch you wish to protect)
   * Select **Require status checks to pass before merging** to open supplementary form fields.
   * In the **Search for status checks in the last week** for this repository field, select **Require branches to be up to date before merging**, then find `SonarCloud Code Analysis` and add it to the list of required checks.
3. Terminate the protection rule creation.

</details>

<details>

<summary>Disabling the inline annotations</summary>

By default, SonarQube Cloud reports issues on your pull requests as [inline annotations](https://docs.sonarsource.com/sonarqube-cloud/issues/in-devops-platform/github#pull-request-decoration). To disable the annotations:

1. Retrieve your project. See [retrieving-projects](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/retrieving-projects "mention") for more details.
2. Go to **Administration** > **General Settings** > **Pull Requests > Issue Annotations.**
3. Unselect **Enable Issue Annotations.**

</details>

<details>

<summary>Disabling the analysis summary in the Conversation tab</summary>

By default, SonarQube Cloud shows the analysis summary in the **Conversation** and **Checks** tab of your GitHub pull requests.

To disable the summary in the **Conversation** tab:

1. Retrieve your project. See [retrieving-projects](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/retrieving-projects "mention") for more details.
2. Go to **Administration** > **General Settings** > **Pull Requests > Integration with GitHub.**
3. Unselect **Enable summary comment.**

</details>

## Reporting security issues in GitHub (GitHub code scanning alerts) <a href="#code-scanning-alerts" id="code-scanning-alerts"></a>

With the [Enterprise plan](https://www.sonarsource.com/plans-and-pricing/sonarcloud/), the report of the security issues inside the GitHub interface itself as code scanning alerts under the **Security** tab is supported for bound projects.

<div align="left"><figure><img src="https://2223713658-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB4UT2GNiZKjtxFtcFAL7%2Fuploads%2Fgit-blob-4454fcea707b65aebef72c038e6a1fad06461dd5%2F627a05ead3c4def8a9e8b926841d266f700a67fb.png?alt=media" alt="SonarQube Cloud can be enabled to send code scanning alerts to your project in GitHub."><figcaption></figcaption></figure></div>

This feature is part of the [GitHub Advanced Security package](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.

<details>

<summary>Issue status synchronization</summary>

When users change the status of a security issue in the SonarQube interface, the change is immediately reflected in the GitHub interface, and vice versa.

The table below shows the correspondence between SonarQube and GitHub on a status transition. Initially, all vulnerabilities marked **Open** on SonarQube Cloud are marked **Open** on GitHub.

| **On SonarQube Cloud, a transition to** | **results in this on GitHub** |
| --------------------------------------- | ----------------------------- |
| Accept                                  | Won’t fix                     |
| False Positive                          | False positive                |
| Confirm (Deprecated)                    | Open                          |
| Fixed (Deprecated)                      | Open                          |
| Reopen                                  | Open                          |

| **On GitHub, a transition to** | **results in this on SonarQube Cloud** |
| ------------------------------ | -------------------------------------- |
| False positive                 | False Positive                         |
| Used in tests                  | Accept                                 |
| Won’t fix                      | Accept                                 |
| Reopen                         | Open                                   |

</details>

<details>

<summary>Setting up the report of the security issues</summary>

The feature is only available to bound projects. No additional setup is required.

{% hint style="info" %}
In GitHub, you can [configure access to security alerts for your repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository).
{% endhint %}

</details>

## Related pages <a href="#related-pages" id="related-pages"></a>

* [github](https://docs.sonarsource.com/sonarqube-cloud/getting-started/github "mention")
* [importing-github-organization](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-organization/creating-organization/importing-github-organization "mention")
* [setting-up-project](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/administering-your-projects/setting-up-project "mention")
* [github-actions-for-sonarcloud](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/ci-based-analysis/github-actions-for-sonarcloud "mention")
* [setting-permissions](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/administering-your-projects/setting-permissions "mention")
* [changing-binding](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/administering-your-projects/changing-binding "mention")
* [customizing-info-page](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/administering-your-projects/customizing-info-page "mention")
* [deleting-project](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/administering-your-projects/deleting-project "mention")
* [in-devops-platform](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/issues/in-devops-platform "mention")

## Related online learning

* <i class="fa-desktop">:desktop:</i> [Configuring code analysis for SonarQube Cloud with GitHub Actions](https://www.sonarsource.com/learn/course/sonarqube-cloud/08b944e7-e0e0-4fa6-90c9-467cdfb47dda/configuring-code-analysis-for-sonarqube-cloud-with-github-actions)
* <i class="fa-desktop">:desktop:</i> [Configuring pull request decoration for SonarQube Cloud with GitHub Actions](https://www.sonarsource.com/learn/course/sonarqube-cloud/2b1101c1-91b5-4a30-a0be-cbcccd8c2a61/configuring-pull-request-decoration-for-sonarqube-cloud-with-github-actions)