Australian Unity’s efforts to standardise and ‘shift left’ code quality and security checks for all its development activity and codebases have set it up for the AI era, which is producing more code to parse more often.
The “health, wealth and care” provider has set up Sonarqube Cloud as its “group standard” static application security testing (SAST) tool over the past three years.
Head of cloud and DevOps Abhay Sharma told the Sonar Summit 2026 that, when he joined Australian Unity three years ago, Sonarqube existed as a self-managed, on-premise tool used only by “a subset of the business internally that … did a lot of code generation themselves.”
The tool was not used more broadly in part because the organisation favoured a “buy over build” approach to its technology systems.
“I'd say to a point [Sonarqube] was considered ‘shadow IT’ when I initially started.
“[The technology delivery and transformation business unit] essentially took ownership of the tool. And, if I look back, the problem wasn't that we didn't have the static analysis or code coverage abilities. It was the way it was implemented.
“It just wasn't implemented in a way where it would be dependable and [offered] scalable control.”
Sharma said the tool’s setup meant that “it became a bottleneck and teams were just working around it”.
This was increasingly a problem in the “multi-regulated environment” in which Australian Unity operates.
The Australian Prudential and Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC) and the federal government all have an interest in its operations.
“In a regulated environment, what really matters to [auditors] is whether or not you can show three things: that controls exist, that they run consistently and then there is traceable evidence when something fails,” Sharma said.
Striving for consistency
The company has applications and workloads running across public multi-cloud and also a private data centre used “for more sensitive and regulated workloads.”
This move to cloud changed the company’s approach to software development. The company is using code not just for digital applications but also to provision and configure its cloud infrastructure.
Under Sharma, Australian Unity elected to stay with Sonarqube but to set it up as “a unified verification platform [that] enforces rigorous controls from the very first line of development.”
“We wanted to make sure that code quality and security checks were consistent across all the teams,” Sharma said.
“The simplest way for us to enforce this was to consistently apply Sonarqube quality stage gates across all our codebases regardless of what that codebase is for. Applications or infrastructure-as-code, they're all treated the same way.
“If the gate fails, the stage fails [and then] the pipeline fails, and nothing moves on until it's resolved.”
This approach is often termed as “shift left”, since it aims to alert developers to quality and security problems in their code early on when the problems are relatively easy and cheap to correct.
Quality gates implemented in Sonarqube enforce minimum standards for new changes to be introduced to the company’s various codebases.
“These gates give us simple outcomes - pass or fail - and then a clear set of reasons why the control behaved the way it did and that becomes a part of our delivery record. It is produced by the CI/CD pipeline that's tied to the change itself directly,” Sharma said.
Sharma said that one of the gates used is for minimum code coverage on new code being introduced. Code coverage is a measure of how much of the source is actually tested.
“Quite simply, if a minimum threshold of code coverage is not met on a pipeline or new change that's pushed to the environment, the pipeline will fail,” Sharma said.
“It will stop there and it'll prohibit any change getting into any environment, even if it's [for] a lower dev environment.”
In addition to enforcing code quality and security standards, the gate result is also a useful artifact for auditors, given the pass-fail is evidence that the check was made.
“We essentially don't use Sonarqube as a compliance certificate per se, but we use it as evidence that our engineering processes run the same checks every time,” Sharma said.
AI increases code production
Sharma said the number of lines of code run through Sonarqube continues to grow quarter-on-quarter.
“We have significantly increased the lines of code that are under analysis in the last quarter,” he said.
“With the way we’re currently onboarding different projects into Sonarqube, including a mass rollout across all our tech stack that is supported, we're looking at continuing to significantly increase the line of code that is managed by the tool for at least another two-to-three quarters.”
It's anticipated that use of AI code assistants and agents will drive additional growth in the amount of code being produced.
Sharma said the impact of AI in software engineering functions reinforced the need for consistent quality and security measures.
“AI is genuinely increasing the volume of code [and] the frequency of change that any organisation, development team or delivery team is currently generating on a daily basis,” he said.
“It’s significantly higher than before.
“That is really good for productivity, but it also means that our old approaches of relying on senior devs or senior engineers in the team to manually spot anomalies just doesn't scale anymore. It doesn't fit the purpose anymore.”
Sharma cited an internal example of the potential for AI-augmented development.
“I have a couple of developers in one of the projects that I'm actively supporting in our environment. These two devs are really heavy users of AI code assistants,” he said.
“As you may know, a lot of these code assist technologies [have] a quota on the volume of data that the teams can process or code that a developer can generate.
“These two devs ran out of their quota three days in. The volume of code that they were generating was huge.
“This is a real change and it's in front of all of us.”
Balancing speed with safety
Sharma said that the AI augmentation trend underlined the need to continue with efforts around Sonarqube, which is helping the organisation to balance speed with safety.
“The goal for 2026 for us is simple: as the volume of code grows, we have shifted left, enforced consistent and automated verifications for all our codebases, and moved security close to where our developer works. This helps in maintaining velocity without letting the risk creep in,” Sharma said.
Sharma likened the balance of speed and safety in software to that of road safety.
He said that road safety research showed that every kilometre per hour in extra speed typically results in a several percentage point heightening of risk of an accident, and of injury or fatality.
“Software is very similar,” he said.
“If you start cutting corners, if you start pushing risk a little bit to the right, you might not feel it or see it immediately, but over time it will add up and the probability of something going bad or going south just goes up.
He added: “The central verification platform [of Sonarqube] is how we essentially avoid that trade-off.
“It keeps the checks early, it keeps them consistent, and creates visibility so developers can move quickly without having to feel like they're gambling.”
_(33).jpg&h=140&w=231&c=1&s=0)
_(37).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
_(1).jpg&h=140&w=231&c=1&s=0)
