diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
new file mode 100644
index 0000000..43a5772
--- /dev/null
+++ b/.github/workflows/static-analysis.yml
@@ -0,0 +1,43 @@
+name: static analysis
+
+on:
+  push:
+    branches:
+      - master
+  pull_request_target:
+    types: [labeled]
+
+permissions:
+  contents: read
+
+jobs:
+  static-analysis:
+    name: Static analysis
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'static-analysis')
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relev
+          ref: ${{ github.sha }}
+
+      - name: Setup PHP with Xdebug
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+          coverage: xdebug
+
+      - name: Install dependencies with composer
+        run: composer install --no-ansi --no-interaction --no-progress
+
+      - name: Run tests with phpunit/phpunit
+        run: vendor/bin/phpunit --coverage-clover=coverage.xml
+
+      - name: Fix code coverage paths
+        run: sed -i 's@'$GITHUB_WORKSPACE'@/github/workspace/@g' coverage.xml
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/phpunit.xml.dist b/phpunit.xml.dist
index c6ec904..13596ce 100644
--- a/phpunit.xml.dist
+++ b/phpunit.xml.dist
@@ -21,6 +21,7 @@
             <directory suffix=".php">./</directory>
             <exclude>
                 <directory>./tests</directory>
+                <directory>./vendor/</directory>
             </exclude>
         </whitelist>
     </filter>
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 0000000..0fdccb0
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,14 @@
+sonar.projectKey=chatwork_oauth2-chatwork-php
+sonar.organization=chatwork
+sonar.php.coverage.reportPaths=coverage.xml
+sonar.coverage.exclusions=tests/**
+
+# This is the name and version displayed in the SonarCloud UI.
+#sonar.projectName=oauth2-chatwork-php
+#sonar.projectVersion=1.0
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8