GitHub Copilot is a game-changer, and making sure that AI-generated code is top-notch — secure, maintainable, and issue-free — is a must. Sonar has your back, letting you weave AI-generated code into your GitHub projects with confidence. Available as part of our SonarQube Server 2025.1 LTA and coming to SonarQube Cloud by April, we now auto-detect and review GitHub projects for AI-generated code from GitHub Copilot (you know, that AI coding assistant with over 100 million users).
SonarQube evaluates users' GitHub Copilot usage and code contribution patterns, and when Copilot use is discovered, the code it generates can be run through Sonar’s rigorous AI Code Assurance workflow, automatically spotting potential issues. This means developer teams can crank up their productivity with AI help, all while keeping their codebase clean and secure.
The direct advantages of this:
- See the AI's work: Sonar automatically identifies any project that may contain code generated by GitHub Copilot.
- Code review, automated: Once the project is bound to an AI quality gate, Sonar thoroughly checks its code to catch potential problems before they become a headache.
- Smooth integration: It slots right into your existing processes and tools, giving you actionable insights without disrupting your flow.
- Code with confidence: Use GitHub Copilot to its full potential without worrying about code quality — Sonar's got it covered.
Here’s the ‘step-by-step’ to get started with Sonar’s auto-detection and review of GitHub Copilot-generated code.
How to detect usage of GitHub Copilot
The feature to automatically detect Copilot usage is turned on by default in SonarQube, but a SonarQube administrator has to enable access by setting permissions in your SonarQube GitHub App. This allows SonarQube to use GitHub’s API to see when Copilot is being used.
Here’s how you set permissions:
- First, make sure a SonarQube GitHub App has been set up in your GitHub account. You can check this in GitHub by going to Settings in the dropdown menu from your account profile icon in the upper right corner. Then in the left-hand side menu on the Public Profile page, under Integrations, click on Applications. In the list of applications, you should see a SonarQube app. If SonarQube hasn’t been registered as a GitHub App, follow these steps to do that.
- Ask a project administrator with GitHub access to navigate to Your SonarQube GitHub App > App settings > Permissions & events > Organization permissions > GitHub Copilot Business and set the access level to Read-only. Note that GitHub will send a confirmation email which must be acknowledged.
Once SonarQube has access to the GitHub API, it will proactively mark projects with a CONTAINS AI CODE status badge when it detects Copilot usage.
However, a few extra steps are needed in order to run this code through Sonar’s AI Code Assurance workflow.
- Switch your project’s quality gate to one that is qualified for AI Code Assurance, such as the Sonar-supplied Sonar way for AI Code. You can also use your own AI-qualified quality gate. Please follow our documentation on how to set up your quality gate to be qualified for AI Code Assurance.
- Trigger a new analysis.
That’s it! On the next analysis, your project will be checked using the analysis workflow specifically set up for AI-generated code. When you complete the workflow and the code passes the quality gate, you will see the AI Code Assurance passed badge on the project in the portfolio dashboard screen and the project’s overview page.
Get Automating Today
As AI coding tools like GitHub Copilot become increasingly popular, ensuring the quality and security of their output is paramount. Sonar's automated detection and review of AI-generated code from GitHub Copilot addresses this need, enabling developers to meet the rigorous expectations of modern software development.