explaingit

sonarsource/sonarqube

10,550JavaAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

SonarQube is a self-hosted server that continuously scans your codebase for bugs, security vulnerabilities, and code quality issues, with configurable Quality Gates to stop problems from shipping.

Mindmap

mindmap
  root((SonarQube))
    What it scans
      Bugs
      Security issues
      Code style
    Key concepts
      Quality Gate
      Continuous inspection
    Build
      Java 17
      Gradle
      npm
    Deployment
      Self-hosted server
      CI integration
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Self-host a code quality scanning server that automatically checks every pull request for bugs and security issues before merging

USE CASE 2

Configure Quality Gate rules so that builds fail automatically when new code introduces critical vulnerabilities

USE CASE 3

Build from source to customize or extend SonarQube's backend analysis capabilities

USE CASE 4

Integrate SonarQube into a CI/CD pipeline to enforce code standards across an engineering team

Tech stack

JavaGradlenpm

Getting it running

Difficulty · hard Time to first run · 1h+

Requires Java 17, npm, and Gradle to build from source, the UI is in a separate repository and is downloaded automatically during the build.

Use and modify freely, but any changes you distribute must also be released under the same LGPL v3 license.

In plain English

SonarQube is a tool that scans source code to find bugs, security vulnerabilities, and style problems before software goes into production. Developers connect it to their codebase and it continuously checks the health of the code as the project evolves. One of its central concepts is a Quality Gate: a set of rules that must pass before new code can be considered acceptable. If new changes introduce issues, the Quality Gate flags them, which gives teams a consistent way to stop problems from accumulating over time. The project is built and maintained by SonarSource, the commercial company behind SonarQube. The GitHub repository holds the server-side backend, written in Java. The user interface lives in a separate repository called sonarqube-webapp. When you build this backend from source, it downloads the UI automatically as a prebuilt package, so most contributors working on backend features do not need to touch the frontend at all. Those who do need to change the UI must clone the webapp repository separately and point a build variable at their local copy. Building from source requires Java 17, npm, and Git. The build system is Gradle. Running the standard build command compiles the code, runs tests, and packages a zip archive. Unzipping that archive gives you a runnable server that starts with a shell script on Linux and macOS or a batch file on Windows. The project accepts some outside contributions but with clear limits. SonarSource states in the README that it is not actively looking for feature contributions because aligning outside work with its internal roadmap is difficult. Minor fixes and cosmetic changes are welcome, but larger proposals should be discussed in the community forum first. Bug reports and feature requests go through that forum as well, not through GitHub issues. SonarQube is licensed under the GNU Lesser General Public License version 3. SonarSource also offers a paid commercial edition with additional capabilities, though the README does not describe those in detail.

Copy-paste prompts

Prompt 1
Help me build SonarQube from source on Linux using Java 17 and Gradle, then start the server and open the dashboard in my browser.
Prompt 2
Show me how to configure a SonarQube Quality Gate that fails a pull request if new code introduces any critical security vulnerability or drops coverage below 80%.
Prompt 3
Help me integrate SonarQube into a GitHub Actions workflow so that every PR gets scanned and the result appears as a status check.
Prompt 4
Walk me through setting up a SonarQube project for a Python codebase and explain what the most important metrics on the dashboard mean.
Prompt 5
Help me understand the difference between the open-source SonarQube community edition and the commercial editions, and what I can do with the LGPL version.
Open on GitHub → Explain another repo

← sonarsource on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.