Stop Managing SonarQube Issues One by One, Introducing SonarPilot
Introduction
If you've worked on a large projects, you know the feeling. You open your SonarQube dashboard, and you're staring at 30,000+ open issues spread across many rules. You need to triage them before the next sprint. You need to assign a category of issues to the right developer. You need to mark 4000 findings as false positives. And the only tool you have is, the SonarQube web UI.
Click. Scroll. Click. Filter. Click again.
This is the reality for thousands of development teams. SonarQube is a fantastic static analysis platform, but its UI is designed for investigating individual issues, not for making mass decisions across hundreds or thousands of findings at once.
We built SonarPilot to solve exactly this problem. It's a Node.js/TypeScript IP accelerator that bridges SonarQube and Microsoft Excel, turning what used to take hours of repetitive portal work into a fast, familiar, spreadsheet-driven workflow. And we've published it as an IP on the Microsoft Chrysalis Portal so the entire community can benefit.
In this blog, we'll walk through the problem in detail, show you how SonarPilot works step-by-step, and share the scenarios where it can save your team significant time.
The Problem: SonarQube at Scale
SonarQube works brilliantly for catching issues during development. But once a project accumulates technical debt or when you onboard a legacy codebase, you're quickly faced with a management problem that the tool itself doesn't solve well.
Here are the specific pain points we kept running into:
- No native bulk-action UI
SonarQube does not provide a way to select all issues under a rule and change their status in one action. You can filter by rule, but resolving or marking issues requires individual interactions. - No offline review or sharing
There's no way to export the backlog, share it with a project manager or architect for review, or triage issues in a meeting without portal access. - Missing rule-level aggregation
Leadership needs answers like "how many OPEN BLOCKER issues do we have in C# code across all security rules?", not a paginated list of individual findings. - Bulk assignment isn't supported
Assigning a category of issues (e.g., all SQL Injection warnings) to a developer requires manual effort, as bulk assignment is limited to a maximum of 400 issues per operation. - False-positive triaging is tedious
Marking 3000 false positives one at a time is slow enough that many teams simply don't do it, leaving dashboards permanently cluttered with noise.
The difference is night and day, from hours of portal clicking to minutes in Excel.
Introducing SonarPilot
SonarPilot is a command-line tool built with Node.js and TypeScript that operates in two primary modes and an optional automation layer:
| Mode | What It Does |
|---|---|
| Read | Connects to SonarQube, fetches all issues grouped by rule, and exports them to a structured multi-tab Excel workbook |
| Update | Reads the triage decisions you made in Excel and pushes them back to SonarQube via its bulk-change API |
| Auto Pipeline | File watcher + Azure Service Bus integration for a fully automated, event-driven update cycle |
The core idea is simple: use Excel as the triage interface. Everyone already knows Excel. You don't need to train anyone on the SonarQube portal to make triage decisions. The workbook becomes the artefact, reviewable, shareable, and auditable and SonarPilot handles the API communication in both directions.
How the Excel Workbook is Structured
When you run Read mode, SonarPilot generates an Excel workbook with the following structure:
Information Sheet -> Report metadata: project key, branch, date generated, language filters, total issue count.
Rules Sheet -> One row per SonarQube rule with:
- Rule key and name
- Severity (BLOCKER, CRITICAL, MAJOR, MINOR, INFO)
- Language
- Issue count (formula-linked to the rule's individual sheet)
- Action column this is where you make your triage decision
One Sheet Per Rule -> Each rule gets its own tab containing every individual issue under that rule, with full details:
- Issue key
- Description / message
- File path and line number
- Current status
- Current assignee
This structure gives you a complete, rule-first view of your entire code quality backlog in a single file.
The workbook structure with the action column legend, this is where triage decisions are made.The Action Column: Your Triage Vocabulary
The action column on the Rules Sheet is what powers SonarPilot's bulk-update capability. When you're ready to make a decision about an entire rule's worth of issues, you type one of the following values:
| Action Value | Effect in SonarQube | Typical Use Case |
|---|---|---|
CONFIRM | Sets status to Confirmed | Acknowledging real issues that need fixing |
UNCONFIRM | Resets status to Reopened | Reversing a previous confirmation |
RESOLVE_FP | Resolves as False Positive | Suppressing findings that don't apply |
RESOLVE_WF | Resolves as Won't Fix | Accepted risk or out-of-scope findings |
RESOLVE_FIXED | Resolves as Fixed | Issues already remediated in code |
ASSIGN:username | Assigns to specified user | Routing issues to the responsible developer |
SET_SEVERITY:value | Changes severity level | Reclassifying issue priority |
SET_TYPE:value | Changes type (BUG, VULNERABILITY, CODE_SMELL) | Correcting miscategorised findings |
You type the action once in the Rules Sheet, run Update mode, and SonarPilot applies that action to every issue under that rule. What would have been 300 clicks becomes a single cell edit.
Step-by-Step: The SonarPilot Workflow
Five steps, from connecting to SonarQube to a fully archived audit trail.Step 1 -> Configure and Connect
Install and configure SonarPilot with zero code changes required. All settings are driven by environment variables or CLI arguments:
npm install
# Set environment variables
export SONAR_URL=https://your-sonarqube-server.com
export SONAR_TOKEN=your-api-token
export SONAR_PROJECT_KEY=your-project-key
export SONAR_BRANCH=main
Or pass them as CLI arguments:
npx ts-node src/index.read.ts --sonarUrl https://your-server.com --sonarToken <token> --projectKey my-project --branch main
Step 2 -> Export Issues to Excel (Read Mode)
Run the Read command to pull the full issue backlog from SonarQube:
npx ts-node src/index.read.tsSonarPilot will:
- Authenticate via your SonarQube API token
- Fetch all quality profiles and rules for the project
- Paginate through the full issue list (handling SonarQube's 10,000-issue API limit)
- Generate a structured Excel workbook with the Information sheet, Rules sheet, and one sheet per rule
The output is a timestamped .xlsx file in the configured output directory.
Step 3 -> Triage in Excel
Open the Excel workbook in Microsoft Excel. Navigate to the Rules Sheet. For each rule you want to act on, type the appropriate action value in the action column:
- Want to mark all "unused import" findings as Won't Fix? Type
RESOLVE_WF - Want to confirm all SQL injection warnings and assign them? Type
CONFIRMin one row,ASSIGN:john.doein another - Want to dismiss 200 false positives in a formatting rule? Type
RESOLVE_FP
Save the file. That's all the human input needed.
Step 4 -> Push Changes Back (Update Mode)
Run the Update command pointing to your modified workbook:
npx ts-node src/index.write.tsSonarPilot reads the action column, maps each action to the corresponding SonarQube API call, and executes them as bulk operations. You'll see a summary of how many issues were updated per rule.
Step 5 -> Verify and Archive
Open your SonarQube dashboard, you'll see all the changes reflected immediately. Keep the Excel workbook as a permanent audit record of what was triaged, when, and by whom.
The Automation Pipeline: Zero-Touch Updates
Drop a file → pipeline runs → SonarQube updated → files archived. No human intervention.For teams that want to go further, SonarPilot supports a fully automated pipeline using Azure Service Bus and a local file watcher:
- Service Bus Listener -> Listens on an Azure Service Bus queue for trigger messages (e.g., from a CI/CD pipeline completing a SonarQube scan)
- Auto-Export -> On receiving a message, automatically runs Read mode to generate the Excel workbook
- File Watcher -> Monitors the output directory using chokidar; when the workbook is saved after triage, it triggers Update mode automatically
- Service Bus Sender -> After the update completes, sends a completion message back to the queue for downstream consumers
This turns the entire Export → Triage → Update cycle into an event-driven pipeline. Configure it once, and the only manual step is opening the Excel file and making your triage decisions.
# Start the Service Bus listener
npx ts-node src/index.servicebus.ts
# Start the file watcher (in a separate terminal)
npx ts-node src/index.filewatcher.tsKey Features at a Glance
| Feature | Description |
|---|---|
| Rule-Grouped Excel Export | Issues organised by rule with one tab per rule, not a flat dump |
| 8 Bulk Actions | Confirm, Unconfirm, Resolve (FP/WF/Fixed), Assign, Set Severity, Set Type |
| Multi-Language Support | Works with any language SonarQube analyses, C#, Java, TypeScript, Python, etc. |
| Pagination Handling | Automatically pages through SonarQube's 10K issue API limit |
| Event-Driven Pipeline | Azure Service Bus + file watcher for hands-free automation |
| Dependency Injection | Built with tsyringe for clean, testable architecture |
| Zero Portal Dependency | All triage happens in Excel, no SonarQube UI training needed |
Real-World Use Cases
Legacy Codebase Onboarding
A project being migrated to a new platform carries 45,000+ historical SonarQube issues. Before the first sprint, the architect exports the workbook, marks 12,000 findings as false positives (legacy patterns from the old framework), and assigns the remaining 33,000 issues to developers by rule category, all done in a 10-minute Excel session. One update run applies everything. The dashboard is clean and actionable on day one.
Security Hotspot Triage
The security team needs to classify all BLOCKER and CRITICAL findings across a multi-language project (C#, TypeScript, Java). SonarPilot exports them grouped by rule across all three languages into a single workbook. The security reviewer works through the Rules sheet, marking known false positives and assigning real findings to the appropriate team. The entire triage is completed and pushed in under one hour, no portal access required for the reviewer.
Sprint Quality Check
Before every sprint review, a developer runs Read mode against the main branch and shares the workbook with the delivery lead. The lead sees at a glance which rules have grown in issue count, marks any quick wins for resolution, and the update run clears them before the sprint demo. Clean dashboards, visible quality progress, zero portal navigation.
Why Excel? Why Not a Custom UI?
The choice to use Excel as the triage interface was deliberate, and it comes down to one thing: zero adoption friction.
Every developer, architect, project manager, and delivery lead already knows Excel. Building a custom web UI would have added weeks of development, required deployment infrastructure, and introduced a learning curve. Excel gives you:
- Sorting and filtering -> instantly see all BLOCKER rules, sort by issue count
- Formulas -> the issue count on the Rules sheet is formula-linked to each rule's sheet
- Shareability -> email the workbook to anyone, no portal access needed
- Auditability -> every decision is recorded in the file, which is then archived
Who Should Use SonarPilot?
- Engineering leads who need to triage thousands of issues across multiple projects before a release gate
- Security teams reviewing vulnerability findings and marking false positives in bulk after a penetration test or onboarding a legacy codebase
- Quality architects who want a shareable, offline artefact for sprint planning meetings, not a live portal session
- DevOps engineers automating quality gates in CI/CD pipelines where SonarQube scan results need programmatic triage
- Migration teams onboarding existing projects to SonarQube where the initial scan produces thousands of pre-existing findings that need bulk disposition
Getting Started
SonarPilot is published as an IP on the Microsoft Chrysalis Portal and available on GitHub.
Prerequisites:
- Node.js v18+ (v20 LTS recommended)
- A SonarQube instance (8.x or 9.x) with an API token
- Microsoft Excel (for viewing/editing the workbook)
- Optional: Azure Service Bus namespace (for Auto Pipeline mode)
Quick Start:
# Clone the repository
git clone https://github.com/HiteshDutt/sonar-qube-desktop-client.git
cd sonar-qube-desktop-client
# Install dependencies
npm install
# Configure (edit src/config/appsettings.ts or use environment variables)
export SONAR_URL=https://your-server.com
export SONAR_TOKEN=your-token
export SONAR_PROJECT_KEY=your-project
# Run Read mode
npx ts-node src/index.read.ts
# Make triage decisions in the generated Excel file...
# Run Update mode
npx ts-node src/index.write.tsWhat's Next?
We're actively developing SonarPilot and have several enhancements planned:
- Branch comparison mode -> Compare issues between two branches to see what's new vs. inherited
- Dashboard summary sheet -> Auto-generated charts in the Excel workbook for executive reporting
- SonarCloud support -> Extending compatibility to SonarCloud's API
- Web UI companion -> A lightweight web interface for teams that prefer browser-based triage
Conclusion
SonarQube is an indispensable tool for code quality. But managing its output at scale, triaging, assigning, resolving, and auditing thousands of issues, has always been a manual, tedious process. SonarPilot bridges that gap by turning Excel into a powerful triage interface and automating the two-way communication with the SonarQube API.
If your team spends hours clicking through the SonarQube portal to manage issues in bulk, give SonarPilot a try. We built it to solve our own pain, and we hope it helps yours too.
Got questions or feedback? Drop a comment below or reach out to us directly. We'd love to hear how you're using SonarPilot and what features would help your workflow.
Microsoft