How IMSA reduces production bugs by creating a unified standard of code health with SonarQube

IMSA (Informatique de la Mutualité Sociale Agricole) is the IT provider for France's second-largest health insurance organization. The company manages a complex and diverse technology landscape, yet lacks an objective way to measure health across their multi-language codebase. IMSA used SonarQube automated code review to establish a mandatory quality gate for all new development, creating a single source of truth for code quality and security that has driven a significant reduction in code production bugs and a new culture of accountability.

The challenge: guaranteeing code quality without proof

IMSA’s IT environment is a mix of technologies, including modern Java and JavaScript code alongside legacy COBOL and C code that is decades old. This diversity made it difficult to maintain consistent code standards. Before Sonar, code health was subjective, leaving teams without a reliable way to validate their work or identify risks before they hit production.

“We noticed we didn't have the ability to evaluate our code before using Sonar,” says Grégory Prince, a solution architect at IMSA.

This lack of objective measurement created a cultural divide. While many developers were accustomed to modern tooling, some were resistant to new processes. To reduce risk and unify its software factory, IMSA needed a single solution that could provide objective metrics on code quality and security and consistent governance across all its teams and technologies.

The solution: from subjective to standardized

IMSA’s journey began with the SonarQube Community Edition. Seeing its potential in Java code, they upgraded to the Enterprise Edition to gain automated code review for their COBOL codebase and added portfolio management for a strategic, high-level view.

The team integrated their on-premises SonarQube Server directly into the CI/CD pipeline, making it a mandatory review for all new projects.This automated, non-negotiable step transformed code health from a nice-to-have into a core requirement for deployment. The ability to review both quality and security in one place was critical. "That's what we are trying to do: to shift security, like we shifted quality," explains Jean-Romain Hamel, a product manager at IMSA. SonarQube provided the integrated platform to make this a reality.

"This is a very good point for Sonar integration in our process and tools. We can put it in our process, and the developers can adapt to it without too much difficulty."— Jean-Romain Hamel, Product Manager, IMSA

The results: a measurable transformation in code health

By making SonarQube a cornerstone of its software factory, IMSA created a culture of accountability. Today, every release requires a report with SonarQube indicators, giving leadership clear visibility into the health of the code going to production. Most importantly, this disciplined approach has led to more reliable software. "We've noticed a major reduction in bugs in production by using Sonar,” confirms Gregory

Key results:

• Increased code coverage: after implementing SonarQube code coverage at IMSA improved from 40% to 60%
• Reduced production bugs: Achieved a notable reduction in the number of bugs reaching production by catching issues early.
• Improved visibility for leadership: Provided objective data on code health, enabling more informed decisions about technical debt and project investments.
• Automated quality checks: Mandatory quality gate for all new projects, which fails the build if code doesn't meet requirements for coverage (>40%) and duplication (<5%).
• Standardized code health metrics: Ensured consistent reporting across a diverse portfolio of over 2,000 projects spanning Java, COBOL, JavaScript, and more.

What's next: a strategic partnership for continuous improvement

At IMSA, SonarQube is more than just a gate; it's a guide that helps their teams improve the quality and security of their code. IMSA’s focus is on new code, ensuring that the overall health of the codebase progressively improves without asking teams to fix decades of historical debt. As the organization continues to mature its practices, it is now discussing making code security vulnerability fixes a mandatory part of its quality gate, further strengthening its shift-left strategy with Sonar as a key partner.