Skip to main content

Sonarqube - Code quality and security scanning

Sonarqube scanning

SonarQube is a code analyzer used for major programming languages. sonarqube run in our EKS “manager” looking for problems in source repositories, such as duplicated code, non-compliance with coding standards, lack of unit tests, over-complex code, and other issues.

Sonarqube scan all repositories

Sonarqube runs via a concourse job, and scans the github repositories mentioned in the “” namespace annotations.

Sonarqube Github Action

We have implemented a Github Action for some of cloud-platform repositories to initiate an automated scan of any branch, where a PR is created. If this scan fails, it will block the PR from being able to merge into Main.


Two Github secrets are required to be added to each repo using the GHA:

  • SONAR_URL - The sonarqube URL
  • SONAR_TOKEN - A token created using the admin account for access.

Github Action

name: Run sonar scanner

    types: [opened, edited, reopened, synchronize]

    name: Sonarqube Scan 
    runs-on: ubuntu-latest

      - name: Setup sonarqube
        uses: warchant/setup-sonar-scanner@v3

      - name: Checkout Code
        uses: actions/checkout@v2

      - name: Run sonar scanner
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # to get access to secrets.SONAR_TOKEN, provide GITHUB_TOKEN
        run: sonar-scanner
${{ secrets.SONAR_URL }}
          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.projectKey=${{ github.repository }}:${{ github.head_ref }}
  • The GHA pulls the branch where the PR is created from
  • Creates a project within sonarqube
  • Runs a scan of the branch from within the project
  • Feeds back the result to Github with a pass or fail.${{ secrets.SONAR_URL }}
This is the Sonarqube URL -

-Dsonar.login=${{ secrets.SONAR_TOKEN }}
Token required for access to Sonarqube.

-Dsonar.projectKey=${{ github.repository }}:${{ github.head_ref }}
A unique project key is required for Sonarqube to create a project for each branch - ministryofjustice/reponame:branch

This page was last reviewed on 20 September 2021. It needs to be reviewed again on 20 December 2021 by the page owner #cloud-platform .
This page was set to be reviewed before 20 December 2021 by the page owner #cloud-platform. This might mean the content is out of date.