mc1arke

mc1arke/sonarqube-community-branch-plugin

Java LGPL-3.0 DevOps Single maintainer risk unsupported-by-vendor

A plugin that allows branch analysis and pull request decoration in the Community version of Sonarqube

2.8k stars
592 forks
recent
GitHub +7 / week

2.8k

Stars

592

Forks

13

Open issues

30

Contributors

26.5.0 01 Jun 2026

AI Analysis

This plugin extends SonarQube Community Edition to enable branch analysis and pull request decoration, features otherwise restricted to commercial editions. It is specifically designed for organizations using SonarQube Community who need multi-branch CI/CD integration without commercial licensing; it is not for users of commercial SonarQube editions or those seeking official vendor support.

DevOps Developer Tool Discovery value: 5/10
Documentation 6/10
Activity 8/10
Community 8/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

sonarqube-plugin branch-analysis pull-request-decoration code-quality java
Actively maintained Niche/specialized use case Community favorite LGPL-3.0 licensed Production ready
Deep Analysis · Based on README and public signals
4d ago

Community-maintained SonarQube plugin backports branch and PR analysis to free tier

A Java plugin that replicates SonarQube's commercial branch and pull request analysis features in the Community Edition. Built and maintained by the community (not SonarSource) to fill a gap for teams using free SonarQube who need multi-branch CI/CD integration. Adoption appears concentrated among cost-conscious organizations already committed to SonarQube but not licensed for Developer/Enterprise tiers. Actively maintained with regular compatibility updates matching upstream SonarQube releases.

Origin

Created March 2019 as a response to SonarSource's decision to restrict branch and PR features to commercial editions. Has evolved through multiple SonarQube major versions, with the maintainer (mc1arke) releasing version-matched plugin releases (e.g., 25.4.0 for SonarQube 25.4.x). Maintains official Docker images and Kubernetes Helm integrations.

Growth

Star growth has been steady but modest (2,791 stars, 10 gained in last 7 days as of 2026-06-29). Fork-to-star ratio (592:2791 ≈ 21%) suggests active deployment rather than casual observation. Last commit June 29, 2026 indicates continuous maintenance. Growth likely driven by: (1) SonarQube adoption in cost-sensitive environments, (2) CI/CD teams needing branch tracking without commercial licenses, (3) Docker/Kubernetes ecosystem integration. Not exponential, but consistent with a niche utility project serving a defined problem.

In production

Adoption not verified through public metrics. Evidence suggests real-world use via: (1) 592 forks (higher than typical for academic/hobby projects), (2) Maintained Docker Hub registry with versioned images, (3) Kubernetes Helm integration instructions, (4) CI/CD configuration examples in README. However, no public customer list, corporate adoption statements, or large-scale deployment announcements. GitHub issues/discussions likely contain deployment evidence, but not visible in README.

Code analysis
Architecture

Based on README, uses Java agents (javaagent instrumentation) to intercept and modify SonarQube's web and compute engine (CE) behavior. Appears to replace webapp contents via ZIP override and inject branch/PR logic at runtime. Likely implements class bytecode transformation to hook into SonarQube internals. Implementation details not accessible from README alone, but javaagent approach suggests deep integration points vulnerable to upstream changes.

Tests

Not documented in README. CI/CD badge present (GitHub Actions build status shown), but test execution and coverage metrics not disclosed.

Maintenance

Last push 2026-06-29 (8 days before analysis date) indicates active maintenance. Version compatibility explicitly tied to upstream SonarQube releases (25.4 plugin for 25.4.x SonarQube). Release page referenced as primary source of truth. This is reactive, version-following maintenance rather than feature-driven development — appropriate for a plugin ecosystem dependency.

Honest verdict

ADOPT IF: you are running SonarQube Community Edition and cannot justify commercial licensing, your team uses Git branches heavily in CI/CD, you are comfortable with unsupported third-party runtime instrumentation, and you have verified the version compatibility with your SonarQube release. AVOID IF: you require SonarSource vendor support, you plan to migrate to a commercial SonarQube edition, you need high-risk data continuity assurance, or your organization has policies against javaagent bytecode manipulation in production. MONITOR IF: you are evaluating SonarQube cost/benefit and considering whether commercial branch features justify the upgrade, or you are concerned about long-term plugin maintainability as SonarQube internals evolve.

Independent dimensions

Mainstream potential

2/10

Technical importance

6/10

Adoption evidence

5/10

Risks
  • Javaagent instrumentation creates tight coupling to SonarQube internal APIs; no forward compatibility guarantees if SonarSource refactors web or CE layers, potentially breaking the plugin mid-SonarQube upgrade cycle.
  • README explicitly warns of data loss risk when migrating from Community Edition + plugin to commercial editions; users must understand this is not a safe stepping stone.
  • Maintenance burden falls on single maintainer (mc1arke); project appears stable but has no organizational backing; future availability or response time to SonarQube breaking changes not guaranteed.
  • Official SonarSource channels discourage or close support requests for this plugin; users have no upstream escalation path for production issues.
  • Webapp ZIP replacement step (step 4 in installation) is manual and error-prone; inconsistent application could lead to silent feature degradation or inconsistent behavior.
Prediction

Likely to remain a stable, niche utility for cost-conscious SonarQube Community deployments through 2027–2028. As SonarQube licensing becomes more prevalent in enterprises and free tiers are evaluated less frequently, adoption may plateau or decline. Risk of sudden breakage if SonarSource makes major architectural changes to web/CE layer, but reactive maintenance pattern suggests the maintainer will issue compatibility patches. Not headed toward mainstream adoption or commercial viability; success is defined by reliable compatibility patches, not feature growth.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Java
88.6%
TypeScript
11.1%
Dockerfile
0.2%
Shell
0.1%

Information

Language
Java
License
LGPL-3.0
Last updated
2w ago
Created
89mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

SonarOpenCommunity

SonarOpenCommunity/sonar-cxx

This is a SonarQube plugin that adds C++ language support to SonarQube,...

1.1k Java Dev Tools
SonarSource

SonarSource/sonar-java

SonarSource's official static analyzer plugin for Java code quality and...

1.2k Java Security
SonarSource

SonarSource/sonarqube

SonarQube is a mature, widely-adopted continuous code quality and static...

10.8k Java DevOps
zinja-coder

zinja-coder/jadx-ai-mcp

JADX-AI-MCP is a specialized MCP (Model Context Protocol) server and JADX...

2.5k Java Security
EveryInc

EveryInc/compound-engineering-plugin

Compound Engineering is a Claude Code plugin system that operationalizes a...

22.9k TypeScript Dev Tools
vs. alternatives
SonarQube Developer Edition (commercial)

Official branch/PR support; vendor-backed; no javaagent instrumentation; no data loss risk on migration; licensing cost required. This plugin is a workaround, not a replacement.

SonarQube Enterprise Edition (commercial)

Adds portfolio management and advanced security features; SonarSource official support. Plugin addresses only branch/PR subset of commercial capabilities.

Renovate / Dependabot + SonarCloud (alternative architecture)

Cloud-hosted analysis; no self-hosted infrastructure; per-repo or organization pricing. Different deployment model, not direct plugin competition.

GitLab CI (built-in SAST)

Integrated analysis without SonarQube; requires platform switch. Orthogonal to this plugin's niche.

GitHub Advanced Security (built-in SAST)

Native branch/PR analysis in GitHub; SonarQube integration via actions. This plugin only relevant for self-hosted SonarQube users.