This study investigates the adoption and customization practices of SonarQube Cloud Quality Gates in open-source projects. Using software repository mining, we identified and analyzed 1,247 active GitHub projects integrated with SonarQube Cloud, leveraging GitHub Actions configuration metadata to systematically characterize their Quality Gate configurations. Results show that 81% of projects successfully integrated SonarQube Cloud; 75% adopted the organization’s default Quality Gate without modification; only 45% customized Quality Gate conditions—primarily optimizing for security, maintainability, and test coverage; and 55% relied solely on built-in rules, with few enabling advanced rule sets. Notably, we uncover a weak empirical correlation between Quality Gate configurations and actual code quality metrics—a novel finding. This motivates the proposed research direction of “configuration–quality” mapping modeling, offering new empirical evidence and methodological foundations for evidence-based configuration science of static analysis tools.

Background: Static Code Analysis (SCA) tools are widely adopted to enforce code quality standards. However, little is known about how open-source projects use and customize these tools. Aims: This paper investigates how GitHub projects use and customize a popular SCA tool, namely SonarQube Cloud. Method: We conducted a mining study of GitHub projects that are linked through GitHub Actions to SonarQube Cloud projects. Results: Among 321 GitHub projects using SonarQube Cloud, 81% of them are correctly connected to SonarQube Cloud projects, while others exhibit misconfigurations or restricted access. Among 265 accessible SonarQube Cloud projects, 75% use the organization's default quality gate, i.e., a set of conditions that deployed source code must meet to pass automated checks. While 55% of the projects use the built-in quality gate provided by SonarQube Cloud, 45% of them customize their quality gate with different conditions. Overall, the most common quality conditions align with SonarQube Cloud's "Clean as You Code" principle and enforce security, maintainability, reliability, coverage, and a few duplicates on newly added or modified source code. Conclusions: Many projects rely on predefined configurations, yet a significant portion customize their configurations to meet specific quality goals. Building on our initial results, we envision a future research agenda linking quality gate configurations to actual software outcomes (e.g., improvement of software security). This would enable evidence-based recommendations for configuring SCA tools like SonarQube Cloud in various contexts.