Help Center← Back to Dashboard
Getting Started
What is Aithroyz?Quickstart: First EnvironmentCloud CredentialsPlans & Approvals
Environments
OverviewLifecycle PhasesTTL Auto-DestroyExtending TTLDestroying an Environment
Tools Reference
OverviewElastic Stack (SIEM)Wazuh (XDR)MITRE CalderaTheHive & DFIR-IRISVelociraptorOpenCTIGrafana + PrometheusShuffle SOARn8nUptime KumaLLM GatewayOpen WebUIFlowiseOpenClawOllamaQdrantLangfusePortainerGiteaSonarQubeCode ServerMattermostMinIOMetabaseHashiCorp VaultKeycloak SSONetBoxLocalStack
Access & Security
Google SSOTenant IsolationPasskeys & MFATeam Members
API & Integrations
API KeysMCP Tools (Clevername)Terraform ExportWebhooks & Callbacks
Stack Presets
SOC PlatformIR / DFIR LabThreat HuntingQuick Sandbox
Settings
Cloud KeysAPI KeysBillingAudit Log
Troubleshooting
Common IssuesDeployment FailuresDNS & ConnectivityTool Health Checks
Aithroyz Help
Help CenterTools ReferenceSonarQube (Code Quality)

SonarQube (Code Quality)

SonarQube scans source code for bugs, vulnerabilities, code smells, and security hotspots across 30+ languages, with quality gates to block merges on failing code.

Aithroyz deploys SonarQube Community Edition. Create a project, generate a token, and run sonar-scanner from your CI pipeline or local terminal.

Access

URL: https://sonarqube.<env-name>.ops.aithroyz.com
Credentials: Shown in Environments detail → Credentials panel.

Running a scan

1. Create a project
Projects → Create Project → Manual. Give it a project key and display name.
2. Generate a token
In the project setup wizard, choose Generate Token. Copy it — it won't be shown again.
3. Run sonar-scanner
Run the scanner from your repo root, passing the host URL and token.
# Install sonar-scanner (macOS/Linux)
brew install sonar-scanner        # macOS
# or download from https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/

# Run the scan from your project root
sonar-scanner \
  -Dsonar.projectKey=my-project \
  -Dsonar.sources=. \
  -Dsonar.host.url=https://sonarqube.<env-name>.ops.aithroyz.com \
  -Dsonar.token=<your-project-token>
✓
Store the token as a secret in Gitea Actions (SONAR_TOKEN) and reference it in your CI workflow instead of hardcoding it.

Reading results

Overview
Shows the quality gate status (Passed / Failed), reliability, security, and maintainability ratings at a glance.
Issues tab
Browse all findings filtered by severity (Blocker, Critical, Major, Minor), type, and component. Assign issues to team members.
Security Hotspots
Code patterns that may be vulnerable but require a human decision. Review and mark as Safe or Fixed — not automated.
Measures tab
Deep metrics: lines of code, complexity, coverage, duplication percentage, and trend charts over time.

Quality gates

Quality gates define the conditions code must meet before a merge or deployment. Failing a gate causes the CI build to exit non-zero.

1. Create a gate
Quality Gates → Create → give it a name (e.g. Strict Security Gate).
2. Add conditions
Add conditions such as: New Blocker Issues = 0, New Critical Vulnerabilities = 0, Coverage on New Code ≥ 80%.
3. Assign to project
Open your project → Project Settings → Quality Gate → select your custom gate.

Tips

✓
Add a Gitea webhook to trigger a SonarQube scan on every pull request. Connect it to n8n to post the quality gate result back as a PR comment.
⚠
Security Hotspots require a human reviewer — they are flagged as potentially risky patterns but are not confirmed vulnerabilities. Do not mark them as Safe without manual code review.
ℹ
Community Edition supports one branch per project. To scan multiple branches, consider upgrading to Developer Edition or running separate projects per branch.
Related Articles
Gitea (Self-hosted Git)Read article →n8n (Workflow Automation)Read article →