# Sonar-Fix: An Open-Source Workflow Solution for AI-Powered Automatic Code Quality Issue Fixing > An organization-level reusable workflow based on GitHub Actions, integrating Claude Code and GitHub Copilot to enable automatic detection, intelligent fixing, and continuous validation of SonarQube code quality issues. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-05-04T18:46:24.000Z - 最近活动: 2026-05-04T18:50:05.444Z - 热度: 163.9 - 关键词: SonarQube, AI代码修复, GitHub Actions, Claude Code, GitHub Copilot, 代码质量, 自动化工作流, MCP协议, CI/CD, DevOps - 页面链接: https://www.zingnex.cn/en/forum/thread/sonar-fix-ai - Canonical: https://www.zingnex.cn/forum/thread/sonar-fix-ai - Markdown 来源: floors_fallback --- ## Introduction: Sonar-Fix—An Open-Source Workflow Solution for AI-Powered Automatic Code Quality Issue Fixing Sonar-Fix is an organization-level reusable workflow solution based on GitHub Actions, integrating Claude Code and GitHub Copilot. It enables automatic detection, intelligent fixing, and continuous validation of SonarQube code quality issues, forming a complete closed loop from issue detection to fixing, helping development teams efficiently resolve code quality problems. ## Project Background and Core Positioning Sonar-Fix is open-sourced by the SonarSource team. Its core positioning is to build a structured and verifiable automated fixing process rather than simply generating code. It supports two AI coding agents: Anthropic's Claude Code and GitHub Copilot. Adopting a central repository model, it provides a unified workflow center within the organization, allowing other repositories to reuse capabilities, ensuring consistent fixing strategies and reducing maintenance costs. ## Workflow: Complete Closed Loop from Trigger to Fix ### Intelligent Trigger Mechanism Supports two trigger methods: automatic trigger (when SonarCloud quality gate fails) and manual trigger (repository OWNER/MEMBER/COLLABORATOR inputs the `/sonar-fix` command). ### Intelligent Classification and Routing Retrieves the issue list from SonarQube and classifies them into automatic fixing category and manual review category based on deny list, allow list, path exclusion, and severity level/type matching. ### AI Agent Fixing Phase Follows the Guide→Fix→Verify protocol: In the Guide phase, context is obtained via the MCP server; in the Fix phase, minimal modifications are made to address issues; in the Verify phase, regression testing is performed after fixing, with a maximum of 3 cycles. ### Loop Guard and Convergence Mechanism Fix commits start with `fix: resolve SonarQube issues`. The number of such commits is counted; if it exceeds `MAX_FIX_ATTEMPTS` (default 3 times), automatic triggering is skipped to prevent infinite loops. ## Configuration System: Flexible and Fine-Grained Control of Fixing Strategies Multi-dimensional control is achieved via `sonar-fix-config.yml`: - **Agent Selection**: Specify Claude, Copilot, or enable both; - **Severity Level Filtering**: Configure severity levels for automatic fixing (e.g., BLOCKER, CRITICAL); - **Issue Type Filtering**: Select issue types to handle (BUG, CODE_SMELL, VULNERABILITY); - **Rule-Level Control**: Manage specific rules via allow/deny lists; - **Path Exclusion**: Specify file paths that do not need fixing; - **Safety Guardrails**: Limit the number of issues processed per run, agent iteration count, etc. ## Deployment and Implementation: Phased Promotion Strategy ### Phase 1: Infrastructure Setup Create an organization-level central repository, configure secrets (SONAR_TOKEN, API_KEY, etc.) and variables (SONAR_HOST_URL, etc.). ### Phase 2: Single Repository Pilot Select a test repository, add workflow definitions, configuration files, AGENTS.md, configure SONAR_PROJECT_KEY, and manually trigger to verify connectivity. ### Phase 3: Enable Automatic Mode After confirming the manual process works normally, enable automatic mode to monitor SonarCloud quality gate comments. ### Phase 4: Large-Scale Promotion Fix the version (e.g., v1), copy configuration files to more repositories and customize them. ## Technical Highlights and Innovative Value - **MCP Protocol Application**: Provides AI with structured issue query and rule acquisition capabilities via the SonarQube MCP server, improving fixing accuracy; - **Agentic Analysis Integration**: Self-validation after fixing forms a closed loop to improve reliability; - **Concurrency Control**: Uses PR number as the key; cancels old runs when new comments arrive to ensure processing based on the latest status; - **Cost and Risk Control**: Multi-layered guardrails (max_issues_per_run, max_turns, etc.) balance automation and controllability. ## Applicable Scenarios and Value Proposition Sonar-Fix is suitable for: - **Medium and Large Development Teams**: Alleviate bottlenecks in code review and quality fixing; - **Legacy Code Modernization**: Systematically and incrementally improve code quality; - **Security and Compliance Organizations**: Automatically fix high-severity security issues; - **Teams Pursuing Extreme Efficiency**: Achieve left-shift of quality assurance and improve engineering efficiency. ## Conclusion: A New Direction for AI-Assisted Development Sonar-Fix represents a new direction for AI-assisted development—using AI as a reliable automated agent to handle repetitive, rule-clear quality fixing tasks. Through structured processes, fine-grained configurations, and verification mechanisms, it balances automation and controllability, providing a practical reference implementation for AI-empowered development workflows. Its open-source nature supports team customization and expansion.