Scaling Software Quality at Xero with SonarQube Cloud | Sonar Summit 2026

Introduction

Xero, a cloud-based financial platform serving small businesses, accountants, and bookkeepers, has undertaken a significant infrastructure transformation. Sarah Burgess, Lead Product Manager in Xero's security team and 2025 Sonar Champion, shared the company's journey from managing on-premise SonarQube Server to adopting SonarQube Cloud. This migration represents a strategic shift aimed at reducing operational burden while strengthening code quality and security across the organization's thousands of repositories.

The Challenge: Managing On-Premise Infrastructure

For approximately seven years, Xero relied on SonarQube Server as an on-premise solution to support code reliability, maintainability, and coverage reporting across engineering pipelines. However, this approach presented several challenges. Infrastructure management was complex and knowledge about the system was concentrated among a limited number of engineers. The onboarding process created friction, requiring additional pipeline work that discouraged some teams from adoption. Configuration sprawl and insufficient documentation further complicated operations, while visibility into code security remained limited. When the SonarQube product transitioned to Xero's security team in 2024, leaders recognized that maintenance overhead had become unsustainable.

Strategic Migration to the Cloud

After evaluating alternatives and consulting with engineers, Xero's leadership confirmed that SonarQube Cloud met the organization's needs and could alleviate the maintenance burden. In 2025, the company gained access to SonarQube Cloud and assembled a cross-functional migration team. Experienced teams participated in early testing and provided critical feedback, while communication about the upcoming transition was distributed across all engineering teams. Following initial confusion around automatic analysis features, teams adapted quickly. By February 2025, SonarQube Cloud rolled out to thousands of repositories, with teams given approximately nine months to complete their migration from the server instance. On November 17, 2025, Xero successfully decommissioned SonarQube Server.

Key Benefits and Strategic Advantages

The migration delivered substantial improvements across multiple dimensions. By eliminating on-premise infrastructure maintenance, the security team significantly reduced operational workload. The shift to SonarQube Cloud positioned Xero as AI-ready, addressing the growing challenge of validating AI-generated code through comprehensive repository coverage. Automatic analysis capabilities accelerated team onboarding without requiring pipeline modifications, lowering barriers to adoption. GitHub integration enabled developers to receive immediate feedback directly in pull requests, improving code review workflows. The security team also standardized permissions and aligned quality gates across product teams, creating greater consistency in code quality standards.

Looking Forward

Today, more than 3,500 repositories across Xero leverage SonarQube Cloud for continuous code quality monitoring. The organization actively triages security issues and maintains heightened confidence in code reaching production environments. Future priorities include tuning rule sets to better reflect organizational standards, enhancing dashboards to provide leadership visibility, refining onboarding documentation, and improving access management processes. This ongoing refinement demonstrates Xero's commitment to maintaining code quality at scale while supporting developer productivity.

Key Takeaways

• Reduced Operational Burden: Migrating from on-premise to cloud eliminated complex infrastructure management and concentrated knowledge, freeing the security team for higher-value work
• Scalability and Coverage: SonarQube Cloud enables analysis across 3,500+ repositories with automatic deployment, supporting rapid organizational growth
• Developer Experience: Automatic analysis and GitHub integration lower adoption barriers and provide immediate feedback without pipeline changes
• Future-Ready Architecture: Cloud-based solution positions Xero to effectively validate AI-generated code as development practices evolve
• Standardized Quality: Unified permissions and aligned quality gates across teams create consistent code quality standards organization-wide