Adding SonarQube and SonarCloud to GitHub Actions
Wire SonarCloud static analysis into CI and fail the build when the quality gate is red.
SonarCloud (hosted) and SonarQube (self-hosted) both run the same scanner. In GitHub Actions you point the official action at your project, pass a SONAR_TOKEN, and optionally block the build on the quality gate. Coverage import requires generating a report first so Sonar can read it.
What you need
- A SONAR_TOKEN secret from SonarCloud (or your SonarQube server).
- A sonar-project.properties file or projectKey/organization inputs.
- For coverage: a generated report (lcov, coverage.xml) referenced in your Sonar config.
The workflow
Use the official scan action. Disable shallow clone so blame data is accurate.
.github/workflows/ci.yml
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: SonarSource/sonarqube-scan-action@v4
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: https://sonarcloud.ioEnforce the gate
Add a gate check that fails the job when the quality gate is not passed.
.github/workflows/ci.yml
- uses: SonarSource/sonarqube-quality-gate-action@v1
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}Common gotchas
- fetch-depth: 0 is required, otherwise new-code detection and blame are wrong.
- Coverage shows 0% unless your report path is set in sonar-project.properties before the scan.
- The quality gate action waits on the server, so it can hang - always set timeout-minutes.
Key takeaways
- Use sonarqube-scan-action with SONAR_TOKEN and a full clone (fetch-depth: 0).
- Generate coverage before the scan and point Sonar at the report.
- Add the quality-gate-action to actually block merges.
Related guides
Adding Codacy to GitHub ActionsRun Codacy static analysis and upload coverage from GitHub Actions using the Codacy CLI action and a project…
Adding Code Climate to GitHub ActionsReport test coverage to Code Climate from GitHub Actions using the test-reporter binary, before-build and aft…
Adding Codecov to GitHub ActionsUpload code coverage to Codecov from a GitHub Actions workflow: generate an lcov/Cobertura report, add the co…