How to Manage Code Quality with SonarQube and GitHub Actions

Written By

Anthony Neto


In the ever-evolving world of Software Development, maintaining high-quality code can be a challenging task. However, code quality tools like SonarQube and GitHub Actions, come in handy in this complex scenario. 

When combined, SonarQube and GitHub Actions form a robust infrastructure that promotes code quality and efficient workflow practices. This integration empowers Developers by:

  • Automating code reviews
  • Identifying areas for improvement
  • Streamlining the code deployment process

In fact, they are transforming the way Developers approach code quality and workflow efficiency. 

Table of Contents

What is SonarQube

      SonarQube and Code Quality

      SonarQube Installation Overview

What is GitHub Actions?

How to Install and Run SonarQube and GitHub Actions to Optimize Code Quality

      SonarQube Installation Guide

      Performing Static Code Analysis

      Integrating SonarQube with GitHub Actions

      Setting up GitHub Actions forr code quality maintenance

      Interpreting SonarQube's Results
Benefits of SonarQube-Github Actions Integration for Code Quality Management

What is SonarQube

SonarQube is an open-source platform that provides continuous code quality inspection and performs automatic reviews. It highlights bugs, detects security vulnerabilities, and identifies code smells in over 20 programming languages. 

SonarQube and Code Quality

SonarQube offers a holistic and detailed view of your application's health status. It points out what components of your code need to be fixed and offers suggestions for improvement to make your code more secure and efficient. Consequently, with SonarQube, you can see where the problems are exactly and how to fix them.

Additionally, SonarQube not only flags the issues after scanning the code but also prioritizes the issues based on their impact and ease of correction. This aspect makes SonarQube an effective code quality tool to help you or your teams plan the time and effort needed to maintain code quality effectively.

SonarQube Installation Overview 

SonarQube installation is a relatively straightforward process, although the steps involved may vary depending on your Operating System(OS) and Development environment. But, before we dive deeper into how to install Sonarqube, it's worth noting that this code quality tool offers three different editions, each tailored to different development needs:

  • Community Edition: This is SonarQube’s free version, which provides the basic capabilities for code quality management. It is ideal for small teams or individual developers who are just getting started with SonarQube.
  • Developer Edition: This version offers more advanced features, including branch analysis and integration with popular IDEs. It is designed for professional Development teams seeking enhanced code quality management features.
  • Enterprise Edition: As the most feature-rich version, the Enterprise Edition provides features like security reports, portfolio management, and support for large Development teams. This edition is geared towards large organizations with extensive codebases and advanced code quality control needs.

In addition to the Community, Developer, and Enterprise editions, SonarQube also offers a Cloud-based version known as SonarCloud. SonarCloud provides the convenience and flexibility of a Cloud-based solution, eliminating the need for any type of installation or server maintenance.

Essentially, SonarCloud is designed specifically for teams and organizations that are leveraging Cloud technologies and are interested in a 'Software-as-a-Service' (SaaS) model. It offers automated code review and quality testing capabilities, similar to its on-premise counterparts.

However, its distinct advantage lies in the fact that it allows Developers to focus on their code, while the platform takes care of running the analyses and maintaining the service.

Therefore, for teams looking for an efficient, scalable, and maintenance-free tool to maintain their code quality, SonarCloud presents an excellent option.

To try it out, use this Sonarqube installation guide available on their official website. 

What is GitHub Actions?

GitHub Actions is a robust CI/CD solution that enables Developers to automate their software development workflows. This includes everything from performing routine tasks like code compilation and Unit Testing, all the way to deploying applications onto production servers. This is crucial, especially, in the rapidly changing landscape of Software Development, where automation and efficient workflows have become paramount. 

The ability to automate these tasks can result in significant time and resource savings, allowing teams to focus on the core Development work rather than getting bogged down in routine processes.

Nonetheless, the versatility of GitHub Actions extends beyond just CI/CD. It offers a flexible platform where workflows can be tailored to any event that occurs within a GitHub repository, such as pull requests or issue comments. This makes it an extremely powerful tool for automating a wide range of tasks, extending to not only software builds and tests, but also Project Management and coordination activities.

Moreover, with GitHub Actions, you can build and test your applications across multiple platforms and languages. This cross-platform support ensures that applications work seamlessly across different Operating Systems and environments.

How to Install and Run SonarQube and GitHub Actions to Optimize Code Quality

SonarQube Installation Guide

The installation process for each of the SonarQube editions we mentioned above is similar, with the main difference being the licensing requirements for the Developer and Enterprise editions. For this guide, we used Sonar Community in a Docker container.

In this example, we used a server on AWS EC2 with Docker engine installed, with 2vcpu and 4GB of RAM, and 8GB of disk. However, you can use a provider with free credits, for example:

Follow Docker-Compose to facilitate your study lab:

version: "3"

image: sonarqube
- "9000:9000"
- sonarnet
- SONARQUBE_JDBC_URL=jdbc:postgresql://db:5432/sonar
- sonarqube_conf:/opt/sonarqube/conf
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_bundled-plugins:/opt/sonarqube/lib/bundled-plugins

image: postgres
- sonarnet
- postgresql:/var/lib/postgresql
- postgresql_data:/var/lib/postgresql/data

driver: bridge


Now, execute:

      $ docker-compose up -d

In a few seconds, try to access your public IP, remember that this compose is configured on port 9000 to access the SonarQube console, but you can change it if you need. If everything worked well,  you’ll see this screen:

SonarQube Boot Load Interface

Sonarqube Boot Complete Interface

Here, the default access is admin/admin:

Sonarqube login page

As good practice, the platform requires you to update your password;

Sonarqube update password interface

Performing Static Code Analysis

With SonarQube installed and set up, the next step is to perform static code analysis. This analysis allows you to identify code quality and security problems. By default, SonarQube has pre-configured check rules already, which speeds up your work significantly. However, you can change them if the need arises.

 In this case, we are working with Python, so we look at Python rules;

Sonarqube Python Rules Definition Interface
Sonarqube Python Rules definition interface

It is possible to create your own check profiles, or even your quality gates with custom rules 100% tailored for your scenario.

Below is an image of the results of once the analysis is complete;

Sonarqube custom rules analysis results interface

Integrating SonarQube with GitHub Actions

Integrating SonarQube with GitHub Actions facilitates the execution of automatic code analysis at each push or pull request. This helps you to ensure code quality throughout the software life cycle. See how to do this below:

Step 1; As there is no project, the platform presents you with a quick way to get started. Select to start "Manually":

sonarqube integration with GitHub Actions Get Started Interface

Step 2;  Let's use the TODO app for this example;

sonarqube-githubactions integration project interface

It is very important to define the branch in which you are working.

Step 3; Next, let's follow this first moment with the global configuration, because it's just an example, but you can choose models of checks.

Sonarqube clean as yoou code configuration interface

Step 4; Now, go to the integration with Github Actions by simply clicking on the box labeled “GitHub Actions.”

integrating sonarqube with github actions interface

Important information for integration will be provided, such as the creation of Secrets for this connection. Note that the creation of the access token to SonarQube will be required as well.

sonarqube-githubactions project token generation interface

Step 6; Continuing with the integration, you’ll need to pick the language you’ll check. In In this example we use Python, so we chose the last option.

sonarqube githubactions choose language framework interface

When choosing the programming language, the platform shows the steps to be configured in GitHub Actions. It is necessary to add a file in the root of the project under the name "sonar-project-properties."

sonarqube githubactions integration project properties interface

Setting up Github Actions for Code Quality Maintenance

Creating a workflow

With GitHub Actions set up, now we can create our first workflow. But where do you start?

Like SonarQube, GitHub Actions also requires an initial setup. This setup may vary depending on your project's needs.

Browse to your repo and fork it. 

Go to the “Settings” menu;

GitHub Actions Settings Menu

Now, we will create SONAR_TOKEN and SONAR_HOST_URL

After creating the secrets, go to the Actions Menu;

Github Actions Workflow Menu
Github actions choose a workflow interface

Copy and paste the script of SonarQube’s suggestion;

Sonarqube-githubactions integration script suggestion

Choose the name of your workflow and commit changes;

Congratulations if you made it this far because we were able to integrate SonarQube with GitHub Actions.  

However, we are not done yet.

Interpreting SonarQube's Results

The analysis results provided by SonarQube are comprehensive and offer a clear view of the problems existing in our code. But how do you interpret all this data?

In the project summary on SonarQube’s dashboard, you’ll see a brief summary of your project.

sonarqube project summary dashboard

Accessing the details of the projects, we have the main topics analyzed by Sonar, such as:

  • Bugs 
  • Vulnerabilities 
  • Test Coverage 
  • Code Smell
  • Duplicate Lines
  • Number of Lines
  • The latest code updates in the project, and if there were more lines of code added.
Code quality optimization project summary interface example

Browsing each topic, you can have more details of what is being analyzed:

sonarqube code quality improvement suggestions interface example

Something very cool is that in several cases SonarQube indicates a possible solution to adjust your code based on several best practice standards.

sonarqube code quality compliant solution interface

Benefits Code Quality Management with Sonarqube and GitHub Actions

The integration of SonarQube and GitHub Actions offers a wealth of advantages that transcend beyond the realms of time-saving and enhanced code quality, encapsulating facets of software security and team productivity as well.

At its core, this integration creates a powerful synergy that streamlines the code review process. SonarQube's robust code analysis combined with Github Actions' automation capabilities provides continuous feedback on code quality.

This immediate feedback allows Developers to pinpoint and rectify coding errors, security vulnerabilities, and code smells promptly, mitigating the risk of these issues progressing into the later stages of the Software Development Lifecycle (SDLC), where they are more complex and costly to resolve.

Beyond code quality and security, this integration also fosters team productivity. By automating code reviews, Developers are free to focus their attention and creative prowess on coding, innovating, and problem-solving, rather than getting mired in the minutiae of manual code inspections. 

Furthermore, SonarQube’s clear visualizations and actionable insights make it easier for team members to understand the code quality status quickly, promoting transparency and effective communication within the team.

In essence, integrating SonarQube and GitHub Actions cultivates a culture of continuous improvement, driving higher code quality, enhanced security, and increased team productivity.

Below is a tabular comparison of the benefits of integrating SonarQube with GitHub Actions for code quality management. 

Teams Using SonarQube and Github Actions Teams Not Using Sonarqube and GitHub Actions
Code Quality Improved with regular automated checks. May be lower due to the lack of continous checks
Productivity Increased due to automated processes. Could be lower due to manual processes.
Security Enhanced through regular security vulnerability detection. Potentially less secure without automated security checks.
Workflow Efficiency Improved with automation and streamlined workflows. May be less efficient without automation.
Learning Curve Requires time to learn and implement tools. No time spent on learning new tools.


SonarQube's integration with GitHub Actions represents a transformative change in the field of Software Development.

Together, these tools form a powerful alliance, offering a set of features that boost code quality, tighten security, and improve overall workflow efficiency.

SonarQube's prowess at continuous code inspection, coupled with GitHub Actions' proficiency at workflow automation, creates a dynamic platform where code is not just written, but continually evaluated and improved.

This symbiotic relationship ensures that code quality is not a one-off checkpoint, but a constant element of the Development process.

Furthermore, the heightened security measures facilitated by SonarQube's vigilant vulnerability detection bring a new level of protection to the development environment.

This vigilance, when combined with the flexible event-driven automation offered by GitHub Actions, leads to robust and secure CI/CD pipelines.

You may also be interested in:

Docker vs Containerd: A Detailed Comparison

Best AI Programming Languages: A Review of the Top 10

How to Install Checkov for IaC Scanning: The Complete Guide

How to Run a Container on AWS ECS: A Step-by-Step Guide

Testing Code: Types and Benefits for Software Development

Top Tips for Successful Nearshore Software Development

AWS vs Azure: Which is Better for Cloud Computing

Bluelight Consulting is a nearshore DevOps & Software Outsourcing company that helps startups, SaaS, and enterprises with cutting-edge solutions.

More cost-effective than hiring in-house, with Nearshore Boost, our nearshore software development service, you can ensure your business stays competitive with an expanded team and a bigger global presence, you can be flexible as you respond to your customers’ needs.

Learn more about our services by booking a free consultation with us today!

Let us solve your business’ biggest challenges

Book a free Consultation
Save 50+ hours of project time per developer on interviewing.
Tell us the skills you need and we'll find the best developer for your needs in days, not weeks.

Discuss your project with us today!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.