SonarQube is a great tool for static code analysis to ensure code quality and security. What is SonarQube used for? Continuous inspection of source code across languages.
As a standalone app, SonarQube Server offers a free SonarQube Community Build (Community Edition), and three paid editions — Developer, Enterprise and Data Center (priced per instance/year based on lines of code analyzed). There is also a paid SaaS solution called SonarQube Cloud, which includes a free tier for public open source projects on GitHub, Bitbucket Cloud, Azure DevOps or GitLab.
SonarQube supports 40 programming languages and frameworks out of the box through built‑in analyzers (e.g., Java, JavaScript/TypeScript, C#/VB.NET, Python, Rust, Go, Terraform, Kubernetes/Helm, Ansible). It can identify security issues, code smells and many attributes like complexity, duplication and coverage. Additional capabilities come from 50+ third‑party plugins (manual install or marketplace access for Server editions), covering integrations (e.g., Dependency-Check, OpenID Connect), external analyzers (e.g., Checkstyle, Creedengo), code coverage, localization and more.
The free SonarQube Community Build (self-hosted) and SonarQube Cloud free tier (for open source) have different functionalities, shown in this side-by-side comparison:
SonarQube Community Build vs SonarQube Cloud
In this article, we'll take a closer look at one of the latest free versions: SonarQube Community Build 26.1.0 and SonarCloud.
Installation
There are several ways to install SonarQube Community Build (Server):
-
Manual: Download ZIP from sonarsource.com, unpack, install and configure.
-
Docker: Use the official image from Docker Hub.
-
Helm: Use the official Helm chart from Artifact Hub.
-
Ansible: Install with our Ansible-SonarQube role.
For our purposes, we'll explore installing SonarQube with our Ansible-SonarQube role. Check the README, grab the playbook example and adjust variables as needed. The playbook installs SonarQube 25.12 with third-party plugins plus prerequisites:
-
Java 21 (via our Ansible-Java role)
-
PostgreSQL (v14+ recommended)
-
NGINX (for HTTPS reverse proxy)
The Java role works great for SonarQube and other projects — it's optimized for lean delivery and tops Ansible Galaxy for Java installs.
Hardware Minimum: Instance with 4GB RAM (e.g., AWS t3a.medium for small teams; t3a.large/8GB recommended for production).
Note: In addition to installation, the role handles configuration, including:
-
Database migration (required for updates)
-
Jenkins webhook setup
-
Custom quality profile imports
-
LDAP authentication config
Configuration
Initial Security Setup
First, log in as an admin user at http://localhost:9000. Ansible role changes default admin/admin password, see variables change_password and sonar_web_password.
Next, make an admin token: My Account > Security > Generate Tokens — save this somewhere safe, you'll need it for your CI setup.
Team Access
Set up team logins with SAML or OAuth (for GitHub/GitLab/Bitbucket): Administration > Configuration > Authentication. Ansible role supports LDAP configuration.
Quality Profiles (Built‑in + Custom)
SonarQube comes with a built-in set of rules and profiles for main languages (like "Sonar way" for Python), and usually you don't need extra plugins for them. Some of the rules in the built-in profile could be deactivated by default.
Example: The Python "Sonar way" profile is ready to go.
You can tweak built-in profiles by creating custom profiles: turn rules on/off, change their settings and add rules from third-party plugins (Quality Profiles > [Language] > [BUILT-IN profile] > Actions > Extend or Copy).
Example 1: Some rules from the Python "Sonar way" profile are not suitable for your project. Create a custom profile and disable the unnecessary rules (or change their parameters).
Example 2: You want to use rules from the Java "Sonar way" profile together with rules from third-party Java plugins like PMD/Checkstyle/Findbugs. Create a custom profile by copying/extending "Sonar way" and add rules from a third-party plugin ([Custom profile] > Inactive rules > [3-rd party repository in filters] > Bulk Change > Activate).
Any profile could be set as the default or assigned to specific projects only.
When the built-in profile is updated, SonarQube also updates custom profiles that were created as extensions, but doesn't change profiles that were created as copies.
Example: You created a custom profile as a copy of the built-in one. After the SonarQube (or plugin) update, new rules were activated in the built-in profile, but weren't activated in the custom one. Activate manually if you need them.
Ansible role supports importing of custom profiles.
Quality Gates
Quality gates decide if your code passes or fails based on things like coverage, duplication, security and issue count. You can use the built-in "Sonar way" gate or make a custom one with less strict or more strict conditions, depending on your needs.
Built-in gate checks new code only, so you focus on fixing what you just changed. It covers issues, hotspots, coverage and duplications. In custom gates, you can add both new code and overall code conditions.
CI Integration (like Jenkins)
-
Add a webhook: Administration > Configuration > Webhooks > Create > Jenkins URL (/sonarqube-webhook/).
-
In Jenkins:
-
Install the SonarQube Scanner plugin.
-
Go to Manage Jenkins > System > SonarQube Servers: Add your server name, URL and admin token.
-
If you use HTTPS, make sure you have a valid cert or add your self-signed cert to Jenkins' JVM truststore.
-
-
Ansible-Jenkins role can set up the server and install the plugin.
-
You can also use the CLI SonarScanner, but the plugin is easier.
Scale to enterprise Kubernetes CI/CD? EPAM's KubeRocketCI automates SonarQube deployment via its EDP Sonar Operator, integrates quality gates across microservices pipelines and handles branch/PR analysis at scale. Perfect for teams moving beyond Jenkins to GitOps workflows with ArgoCD and multi‑cluster support.
OPEN SOURCE
KubeRocketCI
Container-based delivery management platform
Pipeline
Let's say you have a main branch, developers work in feature branches and open pull requests (PRs). It makes sense to configure SonarQube analysis for the main branch (and other important branches sometimes) and for PRs in CI.
Paid Editions and SonarQube Cloud
If you use SonarQube Cloud or the paid Developer+ editions, you get built-in branch and PR analysis:
-
One SonarQube project covers all branches and PRs in your repo.
-
PR decoration: You'll see inline comments about issues, plus quality gate status, right in your GitHub, GitLab, Bitbucket or Azure DevOps PRs.
Community Build 26.1.0: Workarounds
The free Community Edition doesn't have built-in multi-branch/PR support and PR decoration. You have to make separate SonarQube projects for each branch and PR, or use the option below.
- Community Branch Plugin (v26.1.0, works with SonarQube 26.1.0): Allows you to keep all branches and PRs in a single project and provides PR decoration. You have to install it yourself and configure it.
How to Start Using It on Your Project
4‑step SonarQube onboarding flow
Step 1: Add Non‑Blocking Analysis
Set up a SonarQube scan in your repository. Use a blank quality gate, so the scan won't break your builds if there are issues.
Once it's set up, you'll see a project dashboard in SonarQube or SonarCloud showing the scan results. If your repo is big, you might see a ton of issues — don't worry, at first, focus on the important ones. Ask the team to review existing Hotspots and Security issues. If capacity allows, review also the Reliability and Maintainability ones.
Step 2: Triage Rules
Ask the team to review the rules in the built-in quality profile. Probably some of them don't match your project and should be disabled or edited. Create a custom profile and write down any changes you make in the team wiki so everyone knows what's up. Or keep a profile under the git repository to have a change history.
Step 3: Tighten the Quality Gate Bit by Bit
Discuss with the team adding conditions to your blank quality gate to make it similar to a built-in gate or even stricter. Do it step by step, for example, you can start with hotspots, then add duplications, coverage and issues. You may change condition values according to your project needs.
Example: Your team is not ready to keep 80% coverage condition now, but agreed to keep 60%.
Step 4: Handle Updates
Set up regular updates of SonarQube and plugins (for example, twice per year). Each update brings new rules, so your code will be verified according to the latest standards.
Conclusion
SonarQube Server takes your CI/CD pipeline from just building code to actually checking for bugs, security issues and messy code before anything goes live. It supports 21 languages/frameworks out of the box in Community Build (more in paid editions), so it's great for everything from small projects to big enterprise DevSecOps setups. If you're starting out, use Community Build or go with SonarCloud for open source projects. Either way, focus on new code — fix new problems as you go so your team doesn't get buried in old issues. When you need more languages/frameworks and better branch/PR analysis, upgrade to Developer+ edition.
FAQs
What is SonarQube, and why should I add it to my CI pipeline?
SonarQube is a continuous inspection platform for automated code analysis that scans source code across programming languages for coding issues, security issues and code smells, providing immediate feedback to catch problems early in your development process.
What are the prerequisites and recommended resources for configuring SonarQube instances?
You need 4+ GB RAM (e.g., AWS t3a.medium), JDK 21/25, PostgreSQL/MSSQL/Oracle database, check the official Sonar docs for more details. Use the official Docker image, Helm chart or Ansible role for quick setup.
How do I integrate SonarQube with other CI tools and DevOps platforms?
Check the official Sonar docs for integration with GitHub, Bitbucket, GitLab and Azure DevOps.
