diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
new file mode 100644
index 00000000..698aaa7f
--- /dev/null
+++ b/.github/workflows/sonar.yml
@@ -0,0 +1,25 @@
+name: Sonar Validation
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: Build with Gradle
+        run: ./gradlew build
+      - name: Build and analyze
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: ./gradlew build sonarqube --info
diff --git a/build.gradle b/build.gradle
index 3f641449..76c6ff0a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -11,6 +11,7 @@ buildscript {
 plugins {
     id("com.diffplug.spotless") version "5.6.1"
     id("com.google.cloud.tools.jib") version "2.6.0"
+    id("org.sonarqube") version "3.3"
 }
 
 apply plugin: 'java'
@@ -36,6 +37,14 @@ repositories {
     mavenLocal()
 }
 
+sonarqube {
+  properties {
+    property "sonar.projectKey", "SasanLabs_VulnerableApp"
+    property "sonar.organization", "sasanlabs"
+    property "sonar.host.url", "https://sonarcloud.io"
+  }
+}
+
 sourceCompatibility = 1.8
 targetCompatibility = 1.8