How to configure Sonar Code-Quality Checks in Github Action

Reading Time: 3 minutes

This blog will help you how to configure Sonar Code-Quality Checks in Github Action.

What is Code Quality?

  • Quality code defines the code that functions as intended for end-users without any deficiencies.
  • While code quality measures differently by every team. In general, it comes down to a subjective measure of common factors like maintainability, testability, readability, security, and more.
  • Some automated tools can also analyze source code and provide a code quality score based on a number of metrics that measure complexity and functionality.
  • Writing clean code – involves a number of best practices during writing the code. By following standard conventions, reducing complexity, improving old code whenever new code add, and more, developers/testers can eliminate code smells and build a higher-quality, more secure product. 

Benefits of using Sonar for Code-Quality

SonarCloud configuration

  • First login to SonarCloud using your GitHub account.
  • Next, you have to authorize SonarCloud.
  • Now, You can add a GitHub organization you are using to SonarCloud by clicking on your account.

  • I choose my personal organization. SonarCloud will be installed as a GitHub App for that organization then you can grant SonarCloud access to your repository.
  • In SonarCloud you can now create an organization.
  • In your GitHub repository, you need to create a token so GitHub can access SonarCloud.

GitHub Actions

  • SonarCloud provides instructions on what you need to do in order to allow the GitHub Actions to feed SonarCloud. These include updating your pom.xml file to specify the target for the SonarSource plugin. Add the below property/plugin in the POM file.
        <sonar.moduleKey>${project.groupId}:${project.artifactId} </sonar.moduleKey>
  • push all code on your repository.
  • Now go to the GitHub repository and there you see the action option, then click on the action option.
  • Click on Set up a workflow yourself.
  • Replace the pre-populated workflow code with the one below.
    runs-on: ubuntu-latest
      - name: Cache SonarCloud package
        uses: actions/cache@v1
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Analyze with SonarCloud
        # You can pin the exact commit or the version.
        # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
        uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}   # Generate a token on, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
          # Additional arguments for the sonarcloud scanner
            # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
            # mandatory
  • The first part of the workflow means that it is trigger every time a push or a pull request is made to the master branch. We then have the jobs keyword, it is under this that we will state the name of all the different jobs we would like to run. In this case, we start off by stating build_and_test. Here we declare OS environment that it should run on ubuntu-latest.
  • Here we set the cache, which enables the cache dependencies If it finds a dependency in the cache it will restore to the argument you provided as the path, and last sonar scan the code and check the sonar analysis with the project key and organization key, using of above steps we learned how to configure Sonar Code-Quality Checks in Github Action.

Github Action result

  • Sonar Analysis checks after raising the PR against the main branch.

  • Also got the SonarCloud Quality result.


  • SonarCloud is the leading online service to catch Bugs and Security Vulnerabilities in your Pull Requests and throughout your code repositories.
  • Code quality is always good using sonar cloud.
  • people don’t push the code Without checking the code smells/Bug/Security Vulnerabilities.


Written by 

Prajjawal is a QA Consultant having experience of more than 1.6 year. He is familiar with core concepts of manual & automation testing using tools like Contract test, Selenium, and Postman Also having knowledge of Core Java, Python and Data Science. He is always eager to learn new and advanced concepts in order to improve himself. He likes to watch web series and play cricket.