Shifting security left: Scaling code quality in a regulated landscape | Sonar Summit 2026

Organization Overview and Operational Complexity

Australian Unity is a long-established Australian organization spanning over 180 years of operation with a mission to positively impact the well-being of millions of Australians. The company operates across three interconnected verticals: health, wealth, and care. This includes diverse business units ranging from wealth and capital markets services offering investment, trustee, and fund management to residential aged care facilities and home health services. Additionally, Australian Unity operates a retail health insurance business. This multi-vertical approach places the organization under multiple regulatory frameworks, including APRA, ASIC, and federal government oversight, creating what Achar Sharma, who heads the public cloud, DevOps, and mobile practices, describes as "a very complex and multi-regulated environment."

Managing Infrastructure Across Regulated Industries

Sharma's team operates the technology infrastructure consumed by all business units across the organization. This includes public cloud workloads deployed across multiple cloud environments, a private data center for sensitive regulated workloads, internal DevSecOps tooling, and mobile applications published through the Google and Apple app stores. The challenge lies in building a single platform that must simultaneously adhere to healthcare regulations, financial services regulations, and long-term care requirements. As Sharma explains, "the platform itself is essentially built to adhere to any of the requirements from any of these regulators," meaning a single development environment commissioning process requires CIS Level One compliance assessment before deployment.

SonarQube as an Audit and Compliance Framework

Rather than using SonarQube as a compliance certificate, Australian Unity leverages it as evidence that engineering processes run identical checks consistently—something that is "really hard to bypass." In regulated environments, auditors focus on three critical elements: whether controls exist, whether they run consistently, and whether there is traceable evidence when something fails. Quality gates serve as minimum standards for new changes, providing simple pass/fail outcomes with clear documentation of why controls behaved as they did. This creates a delivery record tied directly to the CI/CD pipeline rather than subjective opinion, producing artifacts that auditors actually care about: gate results, reports, and evidence of controlled access to rule modifications.

Currency and Consistency in Quality Signals

A key driver for Australian Unity's adoption of SonarQube Cloud over self-managed deployment was maintaining current rules and analysis. As Sharma notes, the organization wanted to "keep the rules and analysis current and reduce the risk of stale quality signals" because outdated checks reduce the meaningfulness of evidence to auditors. The cloud-based approach ensures that the same consistent set of checks are applied before work is promoted to any environment. Code quality scanning is treated as a mandatory stage gate with formally managed exceptions, and specific measurable thresholds—such as minimum code coverage on new code—are enforced across all development levels. If minimum coverage thresholds are not met, the pipeline fails and prohibits changes from reaching any environment, including development.

Enterprise Adoption and Scaling

Australian Unity's journey with SonarQube reflects typical enterprise adoption patterns. When Sharma assumed his role approximately three years ago, SonarQube was used only by a subset of the business—primarily teams heavily involved in code generation. Since then, the organization has scaled quality gates and security scanning practices across its entire technology delivery organization, demonstrating how code quality tools can evolve from departmental initiatives to critical components of enterprise governance, audit, and compliance strategies.

Key Takeaways

• SonarQube serves as evidence of consistent engineering controls rather than a compliance certificate, enabling audit-ready documentation of quality gates and their outcomes
• Quality gates with measurable thresholds (such as code coverage requirements) create mandatory stage gates that block pipeline progression when standards are not met
• Cloud-based SonarQube deployment maintains current rules and analysis, preventing stale quality signals that would undermine audit credibility
• Multi-regulated organizations can use a single platform's quality framework to simultaneously satisfy requirements from different regulators (healthcare, financial services, aged care)
• Enterprise-wide adoption of code quality scanning requires formal exception management and treats scanning as a non-negotiable part of the delivery process