diff --git a/Jenkinsfile b/Jenkinsfile
index 30e3a65..61e147e 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -18,8 +18,8 @@ pipeline {
     DC_DATA = "${JENKINS_HOME}/.dc-cache"
 
     // ถ้าจะใช้ SonarQube ให้ตั้งค่าตามระบบจริง
-    // SONAR_HOST_URL = 'http://sonarqube:9000'
-    // SONAR_TOKEN = credentials('SONAR_TOKEN')
+    SONARQUBE_INSTANCE = 'SonarQube'
+    SONAR_PROJECT_KEY = 'AS400API'
   }
 
   stages {
@@ -125,32 +125,43 @@ pipeline {
 
     stage('SAST') {
       steps {
-        sh '''
-          set -euo pipefail
+        script {
+          if (env.SONARQUBE_INSTANCE?.trim()) {
+            withSonarQubeEnv(env.SONARQUBE_INSTANCE) {
+              sh """
+                set -euo pipefail
 
-          if [ -n "${SONAR_HOST_URL:-}" ] && [ -n "${SONAR_TOKEN:-}" ]; then
-            echo "=== SAST with SonarQube ==="
-            # ถ้าใช้ sonarscanner for .NET (แนะนำ)
-            dotnet tool update --global dotnet-sonarscanner || dotnet tool install --global dotnet-sonarscanner
-            export PATH="$HOME/.dotnet/tools:${PATH}"
+                echo "=== SAST with SonarQube (${env.SONARQUBE_INSTANCE}) ==="
+                dotnet tool update --global dotnet-sonarscanner || dotnet tool install --global dotnet-sonarscanner
+                export PATH="$HOME/.dotnet/tools:${PATH}"
 
-            dotnet-sonarscanner begin \
-              /k:"AS400API" \
-              /d:sonar.host.url="${SONAR_HOST_URL}" \
-              /d:sonar.login="${SONAR_TOKEN}"
+                dotnet clean -c Release
 
-            dotnet build -c Release
+                dotnet sonarscanner begin \
+                  /k:"${env.SONAR_PROJECT_KEY}" \
+                  /d:sonar.host.url="\$SONAR_HOST_URL" \
+                  /d:sonar.login="\$SONAR_AUTH_TOKEN"
 
-            dotnet-sonarscanner end /d:sonar.login="${SONAR_TOKEN}"
-          else
-            echo "=== SAST with Roslyn analyzers (no Sonar) ==="
-            # เปิด .NET analyzers และ treat warnings เป็น error
-            dotnet build -c Release \
-              -p:EnableNETAnalyzers=true \
-              -p:TreatWarningsAsErrors=true \
-              -warnaserror
-          fi
-        '''
+                dotnet build -c Release \
+                  -p:EnableNETAnalyzers=true \
+                  -p:TreatWarningsAsErrors=true \
+                  -warnaserror
+
+                dotnet sonarscanner end /d:sonar.login="\$SONAR_AUTH_TOKEN"
+              """
+            }
+          } else {
+            sh '''
+              set -euo pipefail
+              echo "=== SAST with Roslyn analyzers (no Sonar) ==="
+              dotnet clean -c Release
+              dotnet build -c Release \
+                -p:EnableNETAnalyzers=true \
+                -p:TreatWarningsAsErrors=true \
+                -warnaserror
+            '''
+          }
+        }
       }
     }