6 min read

Continuous inspection of code quality with SonarQube tool

SonarQube is an open-source code inspection tool that continuously monitors our codes and helps us write clearer & better codes.
Continuous inspection of code quality with Sonarqube on Google Cloud Run
In this post, we will create a Linux VM on the GCP with Compute Engine service and use it as our SonarQube server. Then we will configure SonarQube to scan our repository on GitHub using the GitHub app & GitHub Actions.


  • A Google Cloud Platform account
  • Basic knowledge of GCP Compute Engine
  • Basic knowledge of Docker
  • A GitHub account and sample code repository

1. What is SonarQube and how it can help to improve your code quality?

SonarQube is an open-source code inspection tool that continuously monitors our codes and helps us write clearer & better codes.

It supports a wide range of programming languages and frameworks, defining a set of static code analysis rules, allowing developers to detect the code issues before releasing them.

Enhance Your Workflow with Continuous Code Quality & Code Security (image credit: www.sonarqube.org)

2. Create a Linux VM on Google Cloud & install Docker

First, open the Google Cloud console and navigate to the Compute Engine dashboard, then click Create Instance to create a new VM.

Navigate to the GCP Compute Engine dashboard and create a new VM
Name your VM and specify the region closest to your location

Name: my-docker-server, Region (the closest region to your location): asia-southeast-1, Machine family: E2, Machine type: e2-medium.

Allow HTTP traffic so we can use this VM as a SonarQube server

Boot disk image: Debian GNU/Linux 10 (buster), Firewall: Allow HTTP traffic, keep other options as default value then click Create.

After successfully creating the VM, SSH to it from the console by clicking the SSH button, we will install Docker on this VM follow this official guides from Docker: https://docs.docker.com/engine/install/debian/

sudo du

apt-get update

apt-get install \
    ca-certificates \
    curl \
    gnupg \

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

apt-get install docker-ce docker-ce-cli containerd.io

Verify the installation by running this command:
docker run hello-world
Successfully install the docker engine in our Debian VM

In this step, we create a new Debian VM using GCP Compute Engine, SSH to it, and install Docker, let move to the next steps.

3. Run SonarQube on Debian VM using its official Docker image

First, let's start by pulling the SonarQube docker image using the docker pull command (make sure you already SSH to the my-docker-server VM)

docker pull sonarqube

Then run the image using docker container run command and mapping port 80 to the container.

docker container run -dt --name sonarqube -p 80:9000 sonarqube
Access to your SonarQube server via Debian External IP, in my case it is:, yours will be different

The default credential is always admin/admin (username: admin, password: admin), and you need to reset passwords after the first login. You need to note the address of the SonarQube server, we will use it in the next few steps.

4. Register new GitHub App

Navigate to GitHub at Settings > Developer Settings > GitHub Apps and register a new GitHub App with the below information:

  • GitHub App Name – Your app's name.
  • Homepage URL – You can use any URL, such as https://www.sonarqube.org/.
  • User authorization callback URL – Your SonarQube based URL (Debian VM external IP). For example,
  • Webhook URL – Your instance's base URL. For example,
  • Grant access for the following Repository permissions:
Permission Access
Checks Read & write
Metadata Read-only
Pull Requests Read & write
Commit statuses Read-only
  • For private repositories, grant access to the following Repository permissions:
Permission Access
Contents Read-only
  • If setting up GitHub Authentication, in addition to the aforementioned Repository permissions, grant access for the following User permissions:
Permission Access
Email addresses Read-only
  • And grant access for the following Organization permissions:
Permission Access
Members Read-only
Projects Read-only
  • Under "Where can this GitHub App be installed?," select Any account.
Register a new GitHub App on your account using the above information

Next, you need to generate a private key to install the GitHub app and save the .pem file locally.

Click in "generate a private key" and save the ".pem" file

Next, we need to install our app on GitHub account before starting configuring our SonarQube project, it can be either personal or organization.

Select "Install App" on the left sidebar and click install to install the app
Confirm the installation process
Verify your app installation, it should appear similar to the above image

5. Create our first project on SonarQube and start scanning

From the dashboard of the SonarQube page, we will create a new GitHub project to scan our codes from there.

Select From GitHub (Set up global configuration) to start

Configuration name: any name, GitHub API URL: https://api.github.com/, GitHub App ID + Client ID + Client Secret + Private Key: get from your GitHub app above.

Config the project with your GitHub app information as above image
Authorize the "My SonarQube Demo" app to access GitHub

Next, select the organization and the repository that we need SonarQube scan then create Set up the selected repository.

Choose organization and repository
Select the GitHub Actions option for "How do you want to analyze your repository?"
Follow the guideline steps to create repository secret as the image (the SONAR_HOST_URL will be Debian VM external IP).
Successfully created 2 new repository secrets as the instruction
Follow instructions from SonarQube to update files with the above contents

So we're all set after going on a long journey, let's see the results.

The configuration is finished, let's check out the results

After the analysis is finished, we can see the result as below image, check it and start improving your code quality!

If you got an Unauthorized error like below, check your sonar-project.properties and make sure sonar.login, sonar.password are all set! (Not recommended for production environment but fine for the lab/demo purpose)

ERROR: Error during SonarScanner execution
INFO: Final Memory: 4M/20M
ERROR: Not authorized. Please check the properties sonar.login and sonar.password.
Congrats, you successfully provision the resources, build, config and run the code scan with the SonarQube community version. See you in the next post! Don't forget to remove the resource after finish to save your cost.