Sonar-Fix: An Open-Source Workflow Solution for AI-Powered Automatic Code Quality Issue Fixing

Sonar-Fix is an organization-level reusable workflow solution based on GitHub Actions, integrating Claude Code and GitHub Copilot. It enables automatic detection, intelligent fixing, and continuous validation of SonarQube code quality issues, forming a complete closed loop from issue detection to fixing, helping development teams efficiently resolve code quality problems.

Sonar-Fix is open-sourced by the SonarSource team. Its core positioning is to build a structured and verifiable automated fixing process rather than simply generating code. It supports two AI coding agents: Anthropic's Claude Code and GitHub Copilot. Adopting a central repository model, it provides a unified workflow center within the organization, allowing other repositories to reuse capabilities, ensuring consistent fixing strategies and reducing maintenance costs.

Intelligent Trigger Mechanism

Supports two trigger methods: automatic trigger (when SonarCloud quality gate fails) and manual trigger (repository OWNER/MEMBER/COLLABORATOR inputs the /sonar-fix command).

Intelligent Classification and Routing

Retrieves the issue list from SonarQube and classifies them into automatic fixing category and manual review category based on deny list, allow list, path exclusion, and severity level/type matching.

AI Agent Fixing Phase

Follows the Guide→Fix→Verify protocol: In the Guide phase, context is obtained via the MCP server; in the Fix phase, minimal modifications are made to address issues; in the Verify phase, regression testing is performed after fixing, with a maximum of 3 cycles.

Loop Guard and Convergence Mechanism

Fix commits start with fix: resolve SonarQube issues. The number of such commits is counted; if it exceeds MAX_FIX_ATTEMPTS (default 3 times), automatic triggering is skipped to prevent infinite loops.

Multi-dimensional control is achieved via sonar-fix-config.yml:

• Agent Selection: Specify Claude, Copilot, or enable both;
• Severity Level Filtering: Configure severity levels for automatic fixing (e.g., BLOCKER, CRITICAL);
• Issue Type Filtering: Select issue types to handle (BUG, CODE_SMELL, VULNERABILITY);
• Rule-Level Control: Manage specific rules via allow/deny lists;
• Path Exclusion: Specify file paths that do not need fixing;
• Safety Guardrails: Limit the number of issues processed per run, agent iteration count, etc.

Phase 1: Infrastructure Setup

Create an organization-level central repository, configure secrets (SONAR_TOKEN, API_KEY, etc.) and variables (SONAR_HOST_URL, etc.).

Phase 2: Single Repository Pilot

Select a test repository, add workflow definitions, configuration files, AGENTS.md, configure SONAR_PROJECT_KEY, and manually trigger to verify connectivity.

Phase 3: Enable Automatic Mode

After confirming the manual process works normally, enable automatic mode to monitor SonarCloud quality gate comments.

Phase 4: Large-Scale Promotion

Fix the version (e.g., v1), copy configuration files to more repositories and customize them.

• MCP Protocol Application: Provides AI with structured issue query and rule acquisition capabilities via the SonarQube MCP server, improving fixing accuracy;
• Agentic Analysis Integration: Self-validation after fixing forms a closed loop to improve reliability;
• Concurrency Control: Uses PR number as the key; cancels old runs when new comments arrive to ensure processing based on the latest status;
• Cost and Risk Control: Multi-layered guardrails (max_issues_per_run, max_turns, etc.) balance automation and controllability.

Sonar-Fix is suitable for:

• Medium and Large Development Teams: Alleviate bottlenecks in code review and quality fixing;
• Legacy Code Modernization: Systematically and incrementally improve code quality;
• Security and Compliance Organizations: Automatically fix high-severity security issues;
• Teams Pursuing Extreme Efficiency: Achieve left-shift of quality assurance and improve engineering efficiency.

Sonar-Fix represents a new direction for AI-assisted development—using AI as a reliable automated agent to handle repetitive, rule-clear quality fixing tasks. Through structured processes, fine-grained configurations, and verification mechanisms, it balances automation and controllability, providing a practical reference implementation for AI-empowered development workflows. Its open-source nature supports team customization and expansion.