Skip to content
Latchkey

Adding SonarQube and SonarCloud to GitHub Actions

Wire SonarCloud static analysis into CI and fail the build when the quality gate is red.

SonarCloud (hosted) and SonarQube (self-hosted) both run the same scanner. In GitHub Actions you point the official action at your project, pass a SONAR_TOKEN, and optionally block the build on the quality gate. Coverage import requires generating a report first so Sonar can read it.

What you need

  • A SONAR_TOKEN secret from SonarCloud (or your SonarQube server).
  • A sonar-project.properties file or projectKey/organization inputs.
  • For coverage: a generated report (lcov, coverage.xml) referenced in your Sonar config.

The workflow

Use the official scan action. Disable shallow clone so blame data is accurate.

.github/workflows/ci.yml
- uses: actions/checkout@v4
  with:
    fetch-depth: 0

- uses: SonarSource/sonarqube-scan-action@v4
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: https://sonarcloud.io

Enforce the gate

Add a gate check that fails the job when the quality gate is not passed.

.github/workflows/ci.yml
- uses: SonarSource/sonarqube-quality-gate-action@v1
  timeout-minutes: 5
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Common gotchas

  • fetch-depth: 0 is required, otherwise new-code detection and blame are wrong.
  • Coverage shows 0% unless your report path is set in sonar-project.properties before the scan.
  • The quality gate action waits on the server, so it can hang - always set timeout-minutes.

Key takeaways

  • Use sonarqube-scan-action with SONAR_TOKEN and a full clone (fetch-depth: 0).
  • Generate coverage before the scan and point Sonar at the report.
  • Add the quality-gate-action to actually block merges.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →