Scaling software quality at Xero: The shift from on-premises to cloud

Xero is a cloud-based financial platform headquartered in New Zealand that helps more than 3 million subscribers manage their numbers with confidence.  About a year ago, Xero transitioned its code quality and security infrastructure from an on-premises environment to SonarQube Cloud to better support its global engineering teams. Moving from a high-maintenance legacy setup to the cloud meant Xero could successfully onboard 3,500 repositories, eliminate significant infrastructure overhead, and standardize quality gates across the organization.

The challenge: Infrastructure bottlenecks and siloed knowledge 

For seven years, Xero managed code reliability and maintainability on premises. However, as the platform scaled, the security team faced three critical challenges:

• Heavy maintenance burden: Knowledge of the system was siloed within a few engineers who spent most of their time managing databases and server clusters rather than focusing on strategic security initiatives.
• Configuration sprawl: A lack of centralized documentation made it difficult to track project ownership or maintain consistent standards across a diverse set of team configurations.

The solution: A strategic migration to the cloud 

In 2024, Xero began evaluating SonarQube Cloud to reduce the manual work required to keep the system running. By early 2025, security and platform engineering teams collaborated on a phased rollout to migrate all repositories.

• Engaging early adopters: The team partnered with "beta customers" (internal engineering teams) who were already power users of the platform. Their feedback helped create clear documentation and identify technical requirements before the global rollout.
• Automated migration at scale: In February 2025, Xero used custom scripts and SonarQube Cloud APIs to onboard 3,000 repositories. To ensure a smooth transition, the team maintained the on-premises server for nine months, allowing every team to migrate before the legacy system was decommissioned in late 2025.

The results: Unified standards and reduced engineering toil 

The move to SonarQube Cloud has transformed how Xero manages its codebase health and security by removing technical hurdles and manual overhead. By eliminating infrastructure maintenance, the security team no longer manages databases, backups, or test environments, which has freed up engineers to focus on high-value security work instead of routine system upkeep. 

This shift also provided an enhanced security posture that fits the extremely high standards of Xero as a financial sector organization working with sensitive data. Within the developer workflow, Xero engineers now receive immediate feedback directly in their GitHub pull requests. They are notified instantly if a quality gate fails or if new security hotspots are detected, significantly reducing the effort needed to fix issues. Furthermore, Xero successfully aligned quality gates across all global product teams, ensuring a consistent bar for production-ready code regardless of the team or location. 

As Xero adopts AI assistance in development, Sonar provides a vital verification layer; this "trust and verify" approach ensures all code meets quality and security standards while minimizing manual review work for both human- and AI-generated code. Finally, by using the automatic analysis feature, the security team can identify security issues in new projects without requiring developers to change their build pipelines, making onboarding effortless for new teams.

Looking forward: Strategic visibility and optimization 

With over 3,500 repositories now active in the cloud, Xero is focused on further optimizing the platform.

• Leadership dashboards: Structuring portfolios to provide general managers with high-level visibility into codebase health and team performance.
• Tuning rule sets: Refining analysis rules to ensure findings are highly relevant to Xero’s specific architecture.
• Automated access management: Improving the background processes that sync user permissions between GitHub and SonarQube Cloud.

"We now have greater confidence in what we push to production, whether it was written by a robot or one of our awesome engineers."