Fetching SonarQube Metrics and Report Links in GitHub Pull Requests and Commits (Using Github Actions)
Abhishek Varale
Cloud & DevOps Engineer | AWS | Jenkins | Ansible | Terraform | Docker | Kubernetes| Serverless | DAST | Python |Networking| GitLab| Bitbucket| Migration| SonarQube| JFrog|
Project Goal
The goal of this project is to integrate SonarQube with GitHub using GitHub Actions. This setup enables developers to automatically fetch and display SonarQube scan results, such as quality gate status and vulnerability reports, directly within GitHub Pull Requests and Commits. It ensures better visibility into code quality early in the development cycle and helps maintain clean, secure code before merging changes.
Project Overview
By integrating SonarQube scans into GitHub workflows:
Developers can see SonarQube quality gate results directly in GitHub without switching contexts.
Comments summarizing code quality and vulnerabilities are automatically added to commits and PRs.
Developers can click the provided links to directly access detailed SonarQube dashboards for deeper analysis.
Let's Get Started.
Step 1: SonarQube Project Creation
Login: SonarQube UI
Projects ->Create Project ->Local Project
Set:
Project Name: Project-1
Project Key: project-name-key
Branch: main (Set branch accordingly)
Select Global Settings and click on Create.
Now Project has been created.
Step 2: Generate SonarQube Token
Go to: My Account ➔ Security ➔ Generate Token
Create and Save your token
Note: Save the token in notepad securely.
Now Token has been created and saved.
Step 3: Generate Github Personal Access Token
Login to Github ->Settings ->Developer Settings ->Personal Access Token ->Classic Tokens → Generate New Token
Click on Profile in top right
Click on Setting
Click on Developer Settings
Click on Tokens (Classic)
Generate new token
add Token name, Description and then Generate it and Save it.
Now Github Personal Token has been created.
Step 4: Add GitHub Secrets
GitHub repository:
Settings ➔ Secrets and Variables ➔ Actions ➔ New repository secret
Add these secrets:
SONAR_PROJECT_KEY (SonarQube project key (),
SONAR_HOST_URL, (Your SonarQube server URL)
SONAR_TOKEN, (SonarQube token you generated)
EMAIL_RECIPIENTS, (Comma-separated emails)
GH_TOKEN (GitHub token (for commenting on PRs, Commits etc.)
Click on Setting
Click on Actions
Then Click on Variables and then New Repository Secrets.
Add Secret name and Value and save it.
Now Secrets has been saved.
Step 4: GitHub Actions Workflow (.github/workflows/sonarqube.yml)
Github Repo -> Create/add sonarqube.yml file → write and add pipeline script ->commit it.
add the below pipeline Script and commit.
Pipeine Script:
name: SonarQube Analysis with GitHub Status + Commit Comment
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
statuses: write
pull-requests: write
jobs:
sonar-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Install Tools
run: |
sudo apt-get update
sudo apt-get install -y zip curl jq mailutils default-jre wget unzip
unzip sonar-scanner-cli-5.0.1.3006-linux.zip -d /opt
echo "/opt/sonar-scanner-5.0.1.3006-linux/bin" >> $GITHUB_PATH
- name: Install Node.js dependencies
run: |
npm install
npm run build || echo "Skipping build step..."
- name: Run SonarQube Scan
run: |
sonar-scanner \
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} \
-Dsonar.sources=. \
-Dsonar.java.binaries=target/classes \
-Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
-Dsonar.token=${{ secrets.SONAR_TOKEN }}
- name: Fetch SonarQube Quality Gate Status
id: qualitygate
run: |
REPORT=$(curl -s -u ${{ secrets.SONAR_TOKEN }}: "${{ secrets.SONAR_HOST_URL }}/api/qualitygates/project_status?projectKey=${{ secrets.SONAR_PROJECT_KEY }}")
STATUS=$(echo $REPORT | jq -r '.projectStatus.status')
VULNS=$(curl -s -u ${{ secrets.SONAR_TOKEN }}: "${{ secrets.SONAR_HOST_URL }}/api/issues/search?componentKeys=${{ secrets.SONAR_PROJECT_KEY }}&types=VULNERABILITY" | jq '.total')
echo "status=$STATUS" >> $GITHUB_OUTPUT
echo "vulns=$VULNS" >> $GITHUB_OUTPUT
echo "report_url=${{ secrets.SONAR_HOST_URL }}/dashboard?id=${{ secrets.SONAR_PROJECT_KEY }}" >> $GITHUB_OUTPUT
- name: Send Email Report (optional)
run: |
echo "SonarQube Quality Gate: ${{ steps.qualitygate.outputs.status }}
Vulnerabilities: ${{ steps.qualitygate.outputs.vulns }}
Report: ${{ steps.qualitygate.outputs.report_url }}" | mail -s "SonarQube Report: ${{ steps.qualitygate.outputs.status }}" ${{ secrets.EMAIL_RECIPIENTS }}
- name: Update Commit Status in GitHub
run: |
STATE=$(if [ "${{ steps.qualitygate.outputs.status }}" == "OK" ]; then echo "success"; else echo "failure"; fi)
curl -X POST -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \
-H "Content-Type: application/json" \
-d "{
\"state\": \"$STATE\",
\"target_url\": \"${{ steps.qualitygate.outputs.report_url }}\",
\"description\": \"Gate: ${{ steps.qualitygate.outputs.status }}, Vulns: ${{ steps.qualitygate.outputs.vulns }}\",
\"context\": \"SonarQube\"
}" \
"https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.sha }}"
- name: Comment on Commit
run: |
COMMENT="🔍 SonarQube Scan Result\n✅ Quality Gate: ${{ steps.qualitygate.outputs.status }}\n🛡️ Vulnerabilities: ${{ steps.qualitygate.outputs.vulns }}\n🔗 [View Report](${{ steps.qualitygate.outputs.report_url }})"
curl -X POST -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \
-H "Content-Type: application/json" \
-d "{\"body\": \"$COMMENT\"}" \
"https://api.github.com/repos/${{ github.repository }}/commits/${{ github.sha }}/comments"
- name: Comment on Pull Request (if PR)
if: github.event_name == 'pull_request'
run: |
COMMENT="🔍 SonarQube PR Scan Summary\n✅ Quality Gate: ${{ steps.qualitygate.outputs.status }}\n🛡️ Vulnerabilities: ${{ steps.qualitygate.outputs.vulns }}\n🔗 [View Report](${{ steps.qualitygate.outputs.report_url }})"
curl -X POST -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \
-H "Content-Type: application/json" \
-d "{\"body\": \"$COMMENT\"}" \
"https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments"
After adding script and commiting go to Actions and check Pipeline status
Pipeline status is Successful.
Login to Sonarqube and go to Project.
SonarQube analysis is Successful and we can see the Report on SonarQube Dashboard.
Now Let's Check SonarQube Report and Status in Github Commits and Pull Request Section.
We are able to get the SonarQube Details in Commit section.
also when you create a Pull Request automatically Pipeline will trigger and Start SonarQube analysis and after the analsis it will add commets in PR section with SonarQube Report and Metadata.
Now, developers can view the SonarQube details directly from the GitHub dashboard in the Commits and PR sections. They can also access the full SonarQube dashboard by clicking the link provided in the comments.
Aspiring Python Full Stack Developer |Looking for Entry-Level position |python |Mysql | Html |Css|Javascript |Django|React Js| Node js
3moI'm interested
AWS | Azure | Hetzner | Docker | Kubernetes| Prometheus Grafana | Terraform | Gitlab | Bitbucket | Jira | Confluence | Jenkins | Sonarqube | Linux | Postgres | Mysql | Fortify
3moWell done
Software Engineer
3moGreat insights! Thanks for sharing this article.