Apprendre

Home

Image represents a media kit with boilerplate, logos and more

Guide

How to guide for AI Code Assurance - Developer Persona

These tools interpret developers' intentions and translate them into functional code, significantly accelerating the development process.

Table of Contents

  • Chevron right iconIntroduction
  • Chevron right iconWhat is AI Code Assurance?
  • Chevron right iconStep-by-Step Guide
  • Chevron right iconBest Practices for Managing AI-Generated Code


Introduction


The integration of artificial intelligence (AI) into software development has propelled the industry into a new era of promises for speed and innovation. AI-powered coding assistants like GitHub Copilot and OpenAI's ChatGPT have become invaluable assets for developers, offering the ability to generate code snippets, algorithms, and even entire modules based on natural language prompts. These tools interpret developers' intentions and translate them into functional code, significantly accelerating the development process.


However, alongside these advancements come notable challenges. While AI-generated code can enhance productivity, it doesn't inherently guarantee adherence to the stringent standards that experienced developers apply. Issues related to code quality, security vulnerabilities, and compliance with industry regulations can easily be overlooked by AI models, which lack the discernment and contextual understanding of human professionals.


For instance, AI-generated code may not follow your project's specific coding conventions, leading to inconsistent styles and practices within your codebase. This inconsistency can hinder collaboration, make code reviews more challenging, and introduce bugs that are difficult to trace. Moreover, without meticulous oversight, AI tools might produce code that contains security flaws, exposing your organization to significant risks.


Recognizing these potential pitfalls, it's imperative to ensure that AI-generated code meets the same high standards as code written manually by developers. This is where Sonar's AI Code Assurance comes into play. We provide comprehensive solutions spanning SonarQube for IDE , SonarQube Server and SonarQube Cloud, designed to integrate seamlessly into your development workflow. These tools automatically analyze code for issues, enforce coding standards, and guide developers in remediating problems effectively.


Using AI Code Assurance included in SonarQube (Server and Cloud), you can bridge the gap between the rapid code generation capabilities of AI and the uncompromising quality demands of modern software development. This ensures that your codebase remains robust, secure, and maintainable, regardless of whether the code originates from an AI assistant or a human developer.


In this detailed guide, we'll walk you through the process of leveraging Sonar AI Code Assurance to overcome the challenges associated with AI-generated code. We'll provide step-by-step instructions, technical insights, and best practices to help you maintain the highest standards of code quality and security in your AI-assisted development projects.



What is AI Code Assurance?


Sonar AI Code Assurance addresses these challenges by ensuring AI-generated code adheres to high standards of quality, security, and compliance, tailored specifically for its unique characteristics and requirements.


Understanding Sonar AI Code Assurance

AI Code Assurance is designed to build the confidence and trust developers and organizations need to embrace AI in their coding practices. Its primary goal is to detect issues that may arise from the code produced by AI models, such as inconsistencies, vulnerabilities, or deviations from best practices.


Step-by-Step Guide to Using Sonar AI Code Assurance


We will now walk you through the process of setting up and using Sonar's AI Code Assurance with SonarQube Server to analyze and improve AI-generated code. By following these steps, you'll integrate SonarQube Server into your development workflow, set up automatic detection of GitHub Copilot usage, configure an AI Quality Gate, and leverage Sonar's tools to maintain high-quality, secure AI code in your projects.


AI Code Assurance Prerequisites


Before you begin, ensure you have the following:

  • SonarQube Server: Access to a SonarQube Server 2025.1 LTA (or later) instance connected to a your DevOps platform of choice (GitHub, GitLab, Azure DevOps, or Bitbucket).
  • Supported Programming Languages: Your project should be in a language supported by SonarQube Server (e.g., Java, JavaScript, Python, C#, C++, etc.).
  • Administrator Access: Permissions to add applications and manage settings in your DevOps platform.
  • CI/CD Environment: Familiarity with your continuous integration and deployment pipelines, if you plan to integrate SonarQube Server analysis into them.
  • Existing Project: The project you want to configure should already be set up in SonarQube Server.


Configuring AI Code Assurance is done in four steps:


  1. Enabling AI Code Assurance on projects
  2. Configure GitHub permissions to detect usage
  3. Apply a quality gate for AI Code Assurance
  4. Publish the AI Code Assurance badge


Enabling AI Code Assurance on projects


  1. Open your web browser and go to your SonarQube Server URL.
  2. Log in with your username and password.
  3. Once logged in, you will see the list of projects you have access to.
  4. Click on the project where you want to enable AI Code Assurance.
  5. From the project's Overview page, click on the Project Settings > AI-Generated Code and select the Contains AI-generated code.
  6. You can also see Autodetect AI-Generated Code is by default checked.

    From SonarQube Server v2025.1 LTA release, Sonar has introduced a new feature “Autodetect AI-Generated Code” and it is enabled “by default”.



Configure GitHub permissions to detect usage


To utilize the Autodetect AI-Generated Code feature, you need to configure your GitHub App to allow SonarQube Server access to your organization's GitHub Copilot usage statistics. Here's how to set it up:

  1. Create or Manage the GitHub Integration:
    • In SonarQube Server, navigate to Administration > DevOps Platform Integrations > GitHub.
    • From here, you can create a new integration or edit an existing one to connect SonarQube with your GitHub organization.
  2. Register SonarQube Server as a GitHub App:
    • Follow the prompts to register SonarQube Server as a GitHub App within your organization.
  3. Adjust Permissions in GitHub:
    • After registration, a Project Administrator should go to GitHub to update the app's permissions.
    • In GitHub, navigate to Your GitHub App > App settings > Permissions & events.
    • Under Organization permissions , find GitHub Copilot Business.
    • Set the access level for GitHub Copilot Business to Read-only.
  4. Confirm the Integration:
    • GitHub will send a confirmation email as part of its standard procedures.
    • Make sure to acknowledge this email to complete the setup.



If you set up everything else correctly, SonarQube Server will check for the presence of AI-generated code each time an analysis is performed. Projects containing autodetected code will display the AI code detected status on the project’s Overview and Project Information pages.



Apply a Quality Gate for AI Code Assurance


SonarQube Server recognizes that code generated by AI demands additional scrutiny and elevated quality standards. To ensure the integrity of such code, it recommends implementing rigorous checks that focus on reducing code complexity, eliminating bugs, and eradicating injection vulnerabilities. By leveraging SonarQube’s AI Code Assurance features, you can have confidence that your AI-generated code undergoes thorough review, helping to prevent any potential accountability issues.


To achieve AI Code Assurance in your project, it's recommended to use the Sonar way for AI Code quality gate. This built-in quality gate is specifically designed to safeguard AI-generated code by enforcing strict quality standards.

The Sonar way for AI Code quality gate enforces seven conditions:

  • Conditions on New Code:
    • No New Issues Introduced: Ensures that the new code doesn't add any new bugs, vulnerabilities, or code smells.
    • All New Security Hotspots Reviewed: Mandates that any new security hotspots are examined and addressed.
    • High Test Coverage: Requires that new code has a test coverage of 80% or higher , promoting thorough testing practices.
    • Low Duplication: Limits duplication in new code to 3% or less , encouraging developers to write clean, DRY (Don't Repeat Yourself) code.
  • Conditions on Overall Code:
    • Security Rating of 'A': The overall codebase must achieve the highest security rating, indicating that known vulnerabilities have been addressed.
    • All Security Hotspots Reviewed: All existing security hotspots in the codebase must be reviewed to ensure they are understood and managed.
    • Reliability Rating of 'C' or Better: The codebase should have a reliability rating of at least 'C', indicating an acceptable level of code reliability.


However, you also have the flexibility to create a custom quality gate for AI Code Assurance based on your project's specific needs.


If you've marked your project as Contains AI-generated code , it's eligible to receive the AI Code Assurance status label. To activate this status, you simply need to apply a quality gate that is qualified for AI code.

You can designate any quality gate as qualified for AI code by assigning it the AI Code Assurance label. To do this:

  1. Navigate to the Quality Gates page in SonarQube Server.
  2. Locate your desired quality gate and open the Actions menu.
  3. Select Qualify for AI Code Assurance from the options.



Once you create the Quality Gate for AI Code, you need to apply that Quality Gate to the Project. To do this:

  1. Navigate to the project’s Overview page in SonarQube Server.
  2. Locate the Project Settings menu and click on Quality Gate.
  3. Select Always use a specific Quality Gate from the options.
  4. Select the Quality Gate that you want to use (the one that you created in the previous step).
  5. Click on Save.



Publish the AI Code Assurance Badge (for example, in GitHub)


Now that you've turned on AICA for this project, you may want to add a badge for this to show up in GitHub.

To generate the code of your dynamic project badge:

  1. From the project’s navigation bar, select “Project Information”.
  2. In the Badges section:
    1. Select the “AI Code Assurance” Badge.
    2. In Code format, select Markdown or Image URL depending on how you want to include your badge.
    3. Select the Copy button to copy the code of your badge.



Best Practices for Managing AI-Generated Code


Effectively managing AI-generated code is crucial to maintain high standards of quality, security, and maintainability. Here are some key best practices:

Utilize Static Code Analysis Tools


Integrate static code analysis tools like SonarQube IDE, SonarQube Server, or SonarQube Cloud into your development workflow. These tools automatically detect bugs, code smells, and security vulnerabilities in AI-generated code, providing immediate feedback and ensuring consistent adherence to coding standards.


Establish and Enforce Coding Standards

Develop comprehensive coding standards that include style guidelines, naming conventions, and best practices specific to your project. Enforce these standards through automated linters like SonarQube for IDE and formatters to ensure that AI-generated code aligns with your team's conventions, enhancing readability and maintainability.


Prioritize Security Best Practices


Implement secure coding practices by emphasizing input validation, proper authentication, and secure error handling in AI-generated code. Regularly conduct security assessments and use tools like SonarQube to detect vulnerabilities, ensuring that your software is protected against potential threats.


Manage Code Ownership and Accountability


Assign clear ownership of code modules and promote accountability for all code contributions, including AI-generated segments. Developers should thoroughly review and understand the code they incorporate, maintaining responsibility for its quality and compliance with project standards.


Integrate Continuous Integration and Deployment (CI/CD)


Implement CI/CD pipelines that automate building, testing, and deploying your software. Integrate code analysis tools into the pipeline to automatically enforce quality gates on AI-generated code, ensuring it meets defined standards before merging.


Limit Over-Reliance on AI Tools


Encourage developers to use AI tools as assistants rather than replacements for their expertise. Promote critical evaluation of AI-generated code and maintain regular coding practice without AI assistance to preserve and enhance developers' problem-solving skills.


Conclusion


The launch of AI Code Assurance marks a significant step forward in our commitment to enhancing code quality and security in the age of AI. By providing developers with the tools they need to utilize AI confidently, we are helping organizations accelerate innovation safely and responsibly.


With AI Code Assurance, you can trust that your AI-generated code stays thoroughly reviewed, allowing you to focus on what you do best: creating exceptional software.