TL;DR

Code Quality Gates is a testing workflow that chains GitHub + SonarQube to automate a common task. SonarQube analyzes every PR for code smells, coverage drops, and security hotspots. PRs below the quality gate are blocked. Once configured, it saves ~5 hours/week per senior reviewer, plus 30-50% reduction in tech debt accumulation and runs through Claude Code, Cursor, Windsurf or any MCP-compatible AI agent.

🐙🔎

TestingIntermediate

Code Quality Gates

SonarQube analyzes every PR for code smells, coverage drops, and security hotspots. PRs below the quality gate are blocked.

20 min setup, quality gates on every PR2 MCPs requiredSaves ~5 hours/week per senior reviewer, plus 30-50% reduction in tech debt accumulation

How it works

🐙GitHub

🔎SonarQube

Automated

1PR opened — trigger SonarQube scan2Analyze new code for smells and duplication3Check coverage didn't drop below threshold+2 more steps

Partial support — 1 of 2 MCPs hostable

Hosted execution needs every MCP on the whitelist. Use the local CLI for this recipe until the missing MCPs are added.

Not yet hostable:

🔎SonarQube

mcpizy recipe install github-sonarqube-code-quality

Why this combo?

SonarQube has deep static analysis rules built over years; GitHub provides the code diff and the merge gate. Together they enforce quality standards automatically — no manual code review step needed for coverage, duplication, or common security patterns.

Without this workflow

Code review relies on human reviewers catching coverage drops, duplicate code, and security issues — which they miss when the PR is large.

With MCPizy

Every PR is automatically scanned. Quality gate fails block merge. SonarQube comments inline on the exact offending lines.

Business value

Concrete ROI — not marketing fluff.

Time saved

~5 hours/week per senior reviewer, plus 30-50% reduction in tech debt accumulation

Frees senior engineers from nitpicking PRs — they focus on architecture instead of coverage numbers
Prevents tech debt snowball: blocking low-coverage PRs saves ~$50k/year in eventual refactoring cost
Catches OWASP-class bugs at PR time — 20x cheaper than fixing after pentest or breach
Objective quality metrics replace subjective 'LGTM' reviews — engineering culture becomes merit-based

Workflow steps

1
PR opened — trigger SonarQube scan
2
Analyze new code for smells and duplication
3
Check coverage didn't drop below threshold
4
Scan for security hotspots (OWASP)
5
Report quality gate pass/fail on PR

Use cases

Enforce minimum test coverage on new code, block PRs that drop it
Catch OWASP Top 10 security patterns before they reach main
Prevent code duplication from accumulating across the codebase
Inline PR comments on exactly which lines have quality issues

MCPs required

🐙

GitHub

GitHub MCP Server

View

🔎

SonarQube

SonarQube MCP Server

View

Agent prompt (copy into Claude Code)

This prompt is the workflow. Paste into Claude Code, Cursor, or Windsurf.

You are a code-quality gate agent. Runs on every PR.

On pull_request opened / synchronize:
1. Call github.get_pull_request(pr_number) to get head SHA + changed files
2. Call sonarqube.scan(project_key, branch=head_branch, sources=changed_files)
3. Poll sonarqube.get_analysis_status until DONE
4. Call sonarqube.get_quality_gate_status(project_key) — read conditions (coverage, duplications, vulnerabilities, bugs)
5. For each failing condition, call github.create_review_comment on the offending line with the SonarQube issue text
6. Call github.create_status(context="sonarqube", state=gate_status === "OK" ? "success" : "failure")

Post a summary comment: "Quality Gate: <status> — coverage <n>%, <n> vulnerabilities, <n> code smells".

Trigger & credentials

How this workflow fires and what env vars you need.

.env.example

WebhookTrigger

POST /webhook/github (events: pull_request opened, synchronize)

🐙GitHub· 1 var

GITHUB_TOKENGet key

PAT with repo + statuses scopes

e.g. ghp_...

🔎SonarQube· 3 vars

SONARQUBE_URL

SonarQube server URL

e.g. https://sonar.company.com

SONARQUBE_TOKENGet key

User token with Execute Analysis permission

e.g. squ_...

SONARQUBE_PROJECT_KEY

Project key in SonarQube

e.g. acme:app

One-command deploy

Install everything — MCPs, prompt, env template — in a single call.

$ mcpizy recipe install github-sonarqube-code-quality

✓ Installs all 2 MCP servers
✓ Writes prompt to ~/.mcpizy/prompts/github-sonarqube-code-quality.md
✓ Generates .env.example in current directory
✓ Ready to paste into Claude Code

Requires mcpizy CLI v1.1+ — install via npm i -g mcpizy.

Quick install (MCPs only)

20 min setup, quality gates on every PR

$ mcpizy install github && mcpizy install sonarqube

More Testing recipes

🎭🐙

Visual Regression on PRs

Playwright captures screenshots of key pages on every PR and diffs them against the baseline. Regressions block merge.

🐙🎭

Full CI Pipeline with Slack Alerts

Tests run on every push. Failures post a Slack message with the failing test name, screenshot, and a link to the run.

🌐🐙

Cross-Browser Testing on PRs

Run your test suite across Chrome, Firefox, Safari, and Edge on BrowserStack automatically when a PR is opened.

Frequently asked questions

What is this workflow?

Code Quality Gates is a testing automation that uses GitHub + SonarQube together via the Model Context Protocol. SonarQube analyzes every PR for code smells, coverage drops, and security hotspots. PRs below the quality gate are blocked.

How long does setup take?

Setup takes around 20 min setup, quality gates on every PR. You install the required MCP servers with `mcpizy install github && mcpizy install sonarqube`, connect your accounts, and the workflow is ready to run.

How much time does this workflow save?

Once running, this workflow saves ~5 hours/week per senior reviewer, plus 30-50% reduction in tech debt accumulation. The concrete business value: Frees senior engineers from nitpicking PRs — they focus on architecture instead of coverage numbers; Prevents tech debt snowball: blocking low-coverage PRs saves ~$50k/year in eventual refactoring cost.

Which MCP servers do I need for this?

You need 2 MCP servers: GitHub (mcpizy install github), SonarQube (mcpizy install sonarqube). All are installable in one command via the MCPizy CLI and configured in your `.claude.json` or `.cursor/mcp.json`.

Does this work with Claude Code, Cursor, and Windsurf?

Yes. The workflow runs with any MCP-compatible AI agent — Claude Code, Claude Desktop, Cursor, Windsurf, VS Code with Copilot, and custom agents built on the MCP SDK. The MCP servers are identical across clients; only the config file path (`.claude.json` vs `.cursor/mcp.json`) changes.

Start building this workflow

Install the required MCPs from the marketplace and automate this in 20 min setup.

$ mcpizy install github && mcpizy install sonarqube

🐙Install GitHub 🔎Install SonarQube

Free to install. Connect your accounts and this workflow runs itself.

TL;DR

You are a code-quality gate agent. Runs on every PR. On pull_request opened / synchronize: 1. Call github.get_pull_request(pr_number) to get head SHA + changed files 2. Call sonarqube.scan(project_key, branch=head_branch, sources=changed_files) 3. Poll sonarqube.get_analysis_status until DONE 4. Call sonarqube.get_quality_gate_status(project_key) — read conditions (coverage, duplications, vulnerabilities, bugs) 5. For each failing condition, call github.create_review_comment on the offending line with the SonarQube issue text 6. Call github.create_status(context="sonarqube", state=gate_status === "OK" ? "success" : "failure") Post a summary comment: "Quality Gate: <status> — coverage <n>%, <n> vulnerabilities, <n> code smells".

$ mcpizy recipe install github-sonarqube-code-quality ✓ Installs all 2 MCP servers ✓ Writes prompt to ~/.mcpizy/prompts/github-sonarqube-code-quality.md ✓ Generates .env.example in current directory ✓ Ready to paste into Claude Code

Frequently asked questions

What is this workflow?

How long does setup take?

How much time does this workflow save?

Which MCP servers do I need for this?

Does this work with Claude Code, Cursor, and Windsurf?