Introduction to GitHub integration
SonarQube's integration with GitHub Enterprise and GitHub.com allows you to maintain code quality and security in your GitHub repositories.
With this integration, you'll be able to:
- Authenticate with GitHub: Sign in to SonarQube with your GitHub credentials.
- Import your GitHub repositories: Import your GitHub repositories into SonarQube to easily set up SonarQube projects.
- Analyze projects with GitHub Actions: Integrate analysis into your build pipeline. Starting in Developer Edition, SonarScanners running in GitHub Actions jobs can automatically detect branches or pull requests being built so you don't need to specifically pass them as parameters to the scanner.
- Report your quality gate status to your branches and pull requests (starting in Developer Edition): See your quality gate and code metric results right in GitHub so you know if it's safe to merge your changes.
- Display code scanning alerts for vulnerability issues in GitHub: Display security issues found by SonarQube as code scanning alerts in the GitHub interface: see below.
- Manage your monorepos: Import your monorepo into SonarQube to easily manage the related projects.
If you're using GitHub Enterprise, we recommend using GitHub Enterprise version 3.4+.
Display of SonarQube security alerts in GitHub
Starting in Developer Edition, SonarQube can provide feedback about security issues inside the GitHub interface itself provided the corresponding GitHub repository has been imported into SonarQube. The security issues found by SonarQube will appear in both:
- The SonarQube interface, as part of the displayed analysis results.
- The GitHub interface, as code scanning alerts under the Security tab.
This feature is part of the GitHub Advanced Security package and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.
When you analyze a project in SonarQube, the detected security issues are displayed on the GitHub interface, under your repository's Security > Code scanning alerts tab.
When users change the status of a security issue in the SonarQube interface, that status change is immediately reflected in the GitHub interface. Similarly, if users change an alert status in GitHub, that change is reflected in SonarQube.
Initially, all issues marked Open on SonarQube are marked Open on GitHub. Because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions.
| In SonarQube, a transition to: | Results in this On GitHub: |
| Accepted | Dismiss: Won't Fix |
| False Positive | Dismiss: False positive |
| Open | Open |
| On Github, a transition to: | Results in this in SonarQube: |
| Dismiss: False positive | False Positive |
| Dismiss: Used in tests | Accepted |
| Dismiss: Won't fix | Accepted |
Related links
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
