![\"Australian](\"https:\/\/www.newsbeep.com\/au\/wp-content\/uploads\/2026\/03\/ImageResizer.ashx.png\")
<\/p>\nAustralian Unity\u2019s efforts to standardise and \u2018shift left\u2019 code quality and security checks for all its development activity and codebases have set it up for the AI era, which is producing more code to parse more often.<\/p>\n
<\/p>\n
\n Australian Unity’s Abhay Sharma.
\n <\/p>\n
The \u201chealth, wealth and care\u201d provider has set up Sonarqube Cloud as its \u201cgroup standard\u201d static application security testing (SAST) tool over the past three years.<\/p>\n
Head of cloud and DevOps Abhay Sharma told the Sonar Summit 2026 that, when he joined Australian Unity three years ago, Sonarqube existed as a self-managed, on-premise tool used only by \u201ca subset of the business internally that \u2026 did a lot of code generation themselves.\u201d<\/p>\n
The tool was not used more broadly in part because the organisation favoured a \u201cbuy over build\u201d approach to its technology systems.<\/p>\n
\u201cI’d say to a point [Sonarqube] was considered \u2018shadow IT\u2019 when I initially started.<\/p>\n
\u201c[The technology delivery and transformation business unit] essentially took ownership of the tool. And, if I look back, the problem wasn’t that we didn’t have the static analysis or code coverage abilities. It was the way it was implemented.\u00a0<\/p>\n
\u201cIt just wasn’t implemented in a way where it would be dependable and [offered] scalable control.\u201d<\/p>\n
Sharma said the tool\u2019s setup meant that \u201cit became a bottleneck and teams were just working around it\u201d.<\/p>\n
This was increasingly a problem in the \u201cmulti-regulated environment\u201d in which Australian Unity operates.<\/p>\n
The Australian Prudential and Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC) and the federal government all have an interest in its operations.<\/p>\n
\u201cIn a regulated environment, what really matters to [auditors] is whether or not you can show three things: that controls exist, that they run consistently and then there is traceable evidence when something fails,\u201d Sharma said.<\/p>\n
Striving for consistency<\/p>\n
The company has applications and workloads running across public multi-cloud and also a private data centre used \u201cfor more sensitive and regulated workloads.\u201d<\/p>\n
This move to cloud changed the company\u2019s approach to software development. The company is using code not just for digital applications but also to provision and configure its cloud infrastructure.<\/p>\n
Under Sharma, Australian Unity elected to stay with Sonarqube but to set it up as \u201ca unified verification platform [that] enforces rigorous controls from the very first line of development.\u201d<\/p>\n
\u201cWe wanted to make sure that code quality and security checks were consistent across all the teams,\u201d Sharma said.<\/p>\n
\u201cThe simplest way for us to enforce this was to consistently apply Sonarqube quality stage gates across all our codebases regardless of what that codebase is for. Applications or infrastructure-as-code, they’re all treated the same way.\u00a0<\/p>\n
\u201cIf the gate fails, the stage fails [and then] the pipeline fails, and nothing moves on until it’s resolved.\u201d<\/p>\n
This approach is often termed as \u201cshift left\u201d, since it aims to alert developers to quality and security problems in their code early on when the problems are relatively easy and cheap to correct.<\/p>\n
Quality gates implemented in Sonarqube enforce minimum standards for new changes to be introduced to the company\u2019s various codebases.<\/p>\n
\u201cThese gates give us simple outcomes – pass or fail – and then a clear set of reasons why the control behaved the way it did and that becomes a part of our delivery record. It is produced by the CI\/CD pipeline that’s tied to the change itself directly,\u201d Sharma said.<\/p>\n
Sharma said that one of the gates used is for minimum code coverage on new code being introduced. Code coverage is a measure of how much of the source is actually tested.<\/p>\n
\u201cQuite simply, if a minimum threshold of code coverage is not met on a pipeline or new change that’s pushed to the environment, the pipeline will fail,\u201d Sharma said.<\/p>\n
\u201cIt will stop there and it’ll prohibit any change getting into any environment, even if it’s [for] a lower dev environment.\u201d<\/p>\n
In addition to enforcing code quality and security standards, the gate result is also a useful artifact for auditors, given the pass-fail is evidence that the check was made.<\/p>\n
\u201cWe essentially don’t use Sonarqube as a compliance certificate per se, but we use it as evidence that our engineering processes run the same checks every time,\u201d Sharma said.<\/p>\n
AI increases code production<\/p>\n
Sharma said the number of lines of code run through Sonarqube continues to grow quarter-on-quarter.<\/p>\n
\u201cWe have significantly increased the lines of code that are under analysis in the last quarter,\u201d he said.<\/p>\n
\u201cWith the way we\u2019re currently onboarding different projects into Sonarqube, including a mass rollout across all our tech stack that is supported, we’re looking at continuing to significantly increase the line of code that is managed by the tool for at least another two-to-three quarters.\u201d<\/p>\n
It’s anticipated that use of AI code assistants and agents will drive additional growth in the amount of code being produced.\u00a0<\/p>\n
Sharma said the impact of AI in software engineering functions reinforced the need for consistent quality and security measures.<\/p>\n
\u201cAI is genuinely increasing the volume of code [and] the frequency of change that any organisation, development team or delivery team is currently generating on a daily basis,\u201d he said.<\/p>\n
\u201cIt\u2019s significantly higher than before.<\/p>\n
\u201cThat is really good for productivity, but it also means that our old approaches of relying on senior devs or senior engineers in the team to manually spot anomalies just doesn’t scale anymore. It doesn’t fit the purpose anymore.\u201d<\/p>\n
Sharma cited an internal example of the potential for AI-augmented development.<\/p>\n
\u201cI have a couple of developers in one of the projects that I’m actively supporting in our environment. These two devs are really heavy users of AI code assistants,\u201d he said.<\/p>\n
\u201cAs you may know, a lot of these code assist technologies [have] a quota on the volume of data that the teams can process or code that a developer can generate.\u00a0<\/p>\n
\u201cThese two devs ran out of their quota three days in. The volume of code that they were generating was huge.<\/p>\n
\u201cThis is a real change and it’s in front of all of us.\u201d<\/p>\n
Balancing speed with safety<\/p>\n
Sharma said that the AI augmentation trend underlined the need to continue with efforts around Sonarqube, which is helping the organisation to balance speed with safety.<\/p>\n
\u201cThe goal for 2026 for us is simple: as the volume of code grows, we have shifted left, enforced consistent and automated verifications for all our codebases, and moved security close to where our developer works. This helps in maintaining velocity without letting the risk creep in,\u201d Sharma said.<\/p>\n
Sharma likened the balance of speed and safety in software to that of road safety.<\/p>\n
He said that road safety research showed that every kilometre per hour in extra speed typically results in a several percentage point heightening of risk of an accident, and of injury or fatality.<\/p>\n
\u201cSoftware is very similar,\u201d he said.<\/p>\n
\u201cIf you start cutting corners, if you start pushing risk a little bit to the right, you might not feel it or see it immediately, but over time it will add up and the probability of something going bad or going south just goes up.<\/p>\n
He added: \u201cThe central verification platform [of Sonarqube] is how we essentially avoid that trade-off.\u00a0<\/p>\n
\u201cIt keeps the checks early, it keeps them consistent, and creates visibility so developers can move quickly without having to feel like they’re gambling.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"Australian Unity\u2019s efforts to standardise and \u2018shift left\u2019 code quality and security checks for all its development activity…\n","protected":false},"author":2,"featured_media":535644,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[256,254,255,64,63,105],"class_list":{"0":"post-535643","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-au","12":"tag-australia","13":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/535643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/comments?post=535643"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/535643\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media\/535644"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media?parent=535643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/categories?post=535643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/tags?post=535643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}