Skip to content
Home » GitHub pull request analysis using SonarQube

GitHub pull request analysis using SonarQube


SonarQube provides Github plugin using which it can publish inline comments in the git pull request for issues found in the modified/new codes of the pull request. So you do not have to manually review Github pull request and add comments, SonarQube will do it for you. Below are the steps to set up the Github plugin in SonarQube.

1. Installation:
To install the Github Plugin, follow below process:

  1. Login to your SonarQube as Administrator,
  2. Go to tab Administrator -> System -> Update Center -> Available,
  3. Search GitHub in the search box which will then list the plugin by searching the SonarQube plugin repository.
  4. On the right side of the plugin list, click the Install button to install it.
  5. Once installed, restart your SonarQube. You can confirm installation by going to the ‘Installed’ tab from step 2 above and check if Github is displaying as installed without any issue.

Below is the screen attached for reference:

2. Generate Github OAuth access token:
Generate your Github OAuth access token to be used in SonarQube Github plugin configuration so that SonarQube can access your Github repository and specified pull request to analyze code and publish the comments for issues found.

To Generate Github access token, follow below process:

  1. Login to your Github account.
  2. Go to the account settings page.
  3. On the left side of the page in the ‘Personal settings’ list, click ‘Personal access tokens’ option which will show its page on the right side.
  4. Click the ‘Generate new token’ button on the top right of the ‘Personal access tokens’ page.
  5. Give any suitable name for ‘Token description’ like SonarQube and then check the repo box to allow access to your repositories.
    NOTE: If you do not want to allow private repository access and just using the public repository for SonarQube analysis then just select ‘public_repo’ checkbox.
  6. Click the ‘Generate token’ button at the bottom of the page and which will generate a token. save this token so as to use in SonarQUbe Github plugin configuration.

Below is the screen attached for reference:
3. Configure the Github plugin:
Now you have installed Github plugin and generated Github access token to be used in SonarQube configuration.

So the only process left is to add configuration code your ‘’ file which you are using for SonarQube analysis in your codebase/project.

Follow below step to add configuration:

  1. Open your file which you have inside your codebase/project using which you run sonar-runner to analyze code.
  2. Add below configuration code at the end of the file. (see inline hashed comments to know what value to give for each property)
    # This is to allow sonar to access your GitHub repository. Personal access token you generated above in Github.
    sonar.github.oauth= <your oauthid generated in Github>
    # Give repository identification in the format of <organisation/repo> like SonarSource/SonarQube
    sonar.github.repository= <organisation/repo>
    # Pull request number of git pull request so that sonar will analysis and pull comment for that pull request.
    sonar.github.pullRequest= <Pull request number>


  • Pull request number you can get from pull request list or url like for “” pull request number is 10.
    This value you have to give/change every time before running sonar-runner so that SonarWub
  • <organisation/repo> value you can get from “Repositories you contribute to” section appears on the right side of your home page at

That’s it. Now git checkout to the branch of the pull request for which you want to do analyze and run sonar-runner.

Once the analysis is done by Sonar runner then it will post comments to the Github pull request for the modified/new codes for issues if there is any. You can open your git pull request on the browser and see inline comments for related codes having issues.



24 thoughts on “GitHub pull request analysis using SonarQube”

    1. Yes, Its really cool.
      we should do more and more research and see how it can be tweaked to make it review based on other rules like php codesniffer rules to be integrated with it so as to make it Project/Website based review as per requirements.

    1. Did you also allowed the scope for that access token in your github account as per screenshot attached in the main post? or may be if you can try selecting other relevant scope to allow and see if that work?

        1. I have locally set up sonarQube and my has
          # must be unique in a given SonarQube instance
          # this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1.

          # Path is relative to the file. Replace “\” by “/” on Windows.
          # Since SonarQube 4.2, this property is optional if sonar.modules is set.
          # If not set, SonarQube starts looking for source code from the directory containing
          # the file.

          # Encoding of the source code. Default is default system encoding

          # This is to allow sonar to access your github repository. Personal access token you generated above in Github.
          # Give repository identification in the format of like SonarSource/sonarqube
          # Pull request number of git pull request so that sonar will analysis and pull comment for that pull request.

          1. The configuration you posted looks fine.
            I am still trying to understand what could be the issue.

            The latest version i am using is Version 6.0. Are you using the same or the latest one that is 6.2 ?

            if you have set all permissions for github repo to be accessible for sonar and sonar configuration properly, then just thinking if the error has something has to do with version if you are using latest?

        1. I am connecting externally from my organization so i have also added proxy setting to . Is this the only location i add proxy
          # HTTPS proxy (defaults are values of http.proxyHost and http.proxyPort)

          1. It works when i connect from an external network , maybe something to do with the way its accessing the proxy settings.Thanks a lot for all the help sandeep.It a great article helped me a lot.

    1. When you run sonar-runner on your branch pull request via command line then what output it shows at the end? Does it says anything about posting the pull request analysis comment to github or something? or it fails to post?
      also i hope you are running sonar runner on the active branch with ‘sonar.github.pullRequest=‘in configuration file for which pull request is to be analysed.
      If you can give some more information about what is the output at the end when you run sonar runner.

      1. Hi Sandeep,

        Thanks for quick response. Below is configuration.
        $ cat
        sonar.projectName=PHP :: PHPUnit :: php_mk




        # Reusing PHPUnit reports


        Below is output after execution.

        INFO: 18022/18022 source files have been analyzed
        INFO: PHPUnit xml test report not found: reports/phpunit.xml
        INFO: PHPUnit xml unit test coverage report not found: reports/phpunit.coverage.xml
        INFO: No PHPUnit integration test coverage report provided (see ‘sonar.php.coverage.itReportPath’ property)
        INFO: No PHPUnit overall coverage report provided (see ‘sonar.php.coverage.overallReportPath’ property)
        INFO: Sensor PHP sensor (done) | time=475054ms
        INFO: Sensor Analyzer for “php.ini” files
        INFO: Sensor Analyzer for “php.ini” files (done) | time=26ms
        INFO: Performing issue tracking
        INFO: 21876/21876 components tracked
        INFO: Executing post-job GitHub Pull Request Issue Publisher
        INFO: ————————————————————————
        INFO: ————————————————————————
        INFO: Total time: 8:14.975s
        INFO: Final Memory: 48M/736M
        INFO: —————————————————————–

        Let me know if any other information is required.

    1. Yes until you automate the process via any tool like Jenkins to make that file with update information.
      but yes, if you are running the pull request analysis on particular pull request then you have to update the with that pull request id so that the comment will get added to that particular pull request for which you are running the analysis.

      1. Hi Sandeep,

        How do you update the sonar.github.pullRequest in jenkins job if we are automating this and would like to have sonar for every new pull request without manual intervention.


  1. Hi Sandeep!
    I’m using sonarqube 5.5 and I’m unable to install the girhub plugins. I’m getting like ‘Error while downloading plugin ‘github’ with version ‘1.4.1’. No compatible plugin found.’ Please do suggest me a solution. Thanks in advance.


  2. Thank you for writing the blogpost. However I’ve tried to accomplish this on SonarQube Version 6.7.6 (build 38781). It doesn’t work at all. I’ve checked the official docs and it says this “This plugin is deprecated, and its functionality more than replaced by the Developer Edition for SonarQube 7.2+.” The developer edition is not for free.

    Would really appreciate if you could respond. Thank you!

    1. ok. It was working with the previous version but now SonarQube team has made the changes to include it only in the latest version of SonarQube developer edition which is not a free version now. 😐
      I think we can not use it for free anymore.
      Thanks for visiting the post 🙂 I will update here if I find anything.

Leave a Reply

Your email address will not be published. Required fields are marked *