Setting up GitHub integration features at the project level

Reporting your quality gate status in GitHub

On SonarQube projects bound to their GitHub repository (projects imported from the GitHub repository) SonarQube automatically sets up the report of your quality gate status and analysis metrics directly to your GitHub pull requests.

If you're creating your projects manually or adding quality gate reporting to an existing project, see the following section.

Reporting your quality gate status in manually created or existing projects

SonarQube can also report your quality gate status to GitHub pull requests and branches for existing and manually created projects. After you've created and installed your GitHub App and updated your global DevOps Platform Integration settings as shown in the Importing your GitHub repositories into SonarQube section above, set the following project settings at Project Settings > General Settings > DevOps Platform Integration:

• Configuration name: The configuration name that corresponds to your GitHub instance.
• Repository identifier: The path of your repository URL.

Showing your analysis summary under the GitHub Conversation tab

Make sure that for your project, Enable analysis summary under the GitHub Conversation tab in Project settings > General settings > Pull Request Decoration is on (default value). If it's the case, your pull request analysis will be shown under both the Conversation and Checks tabs in GitHub. When off, your pull request analysis summary is only shown under the Checks tab.

Preventing pull request merges when the quality gate fails

In GitHub, you can block pull requests from being merged if it is failing the quality gate. To do this:

1. In GitHub, go to your repository Settings > Branches > Branch protection rules and select either the Add rule or Edit button if you already have a rule on the branch you wish to protect.
2. Complete the Branch protection rule form:
   • Define the Branch name pattern (the name of the branch you wish to protect)
   • Select Require status checks to pass before merging to open supplementary form fields.
   • In the Search for status checks in the last week for this repository field, select Require branches to be up to date before merging, then find SonarQube Code Analysis and add it to the list of required checks.

Setting up the display of SonarQube security alerts in GitHub

Starting in Developer Edition, SonarQube can provide feedback about security issues inside the GitHub interface itself provided the corresponding GitHub repository has been imported into SonarQube. The security issues found by SonarQube will appear in both:

• The SonarQube interface, as part of the displayed analysis results.
• The GitHub interface, as code scanning alerts under the Security tab.

Once you've enabled this feature, test it by running a SonarQube analysis.

Feature Overview

When you analyze a project in SonarQube, the detected security issues are displayed on the GitHub interface, under your repository's Security > Code scanning alerts tab. 

Select View alerts to see the full list:

When you change the status of a security vulnerability in the SonarQube interface, that status change is immediately reflected in the GitHub interface. Similarly, if you change an issue status in GitHub, that change is reflected in SonarQube.

Initially, all issues marked Open on SonarQube are marked Open on GitHub. Because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions.

Setting up the feature