diff --git a/.cirrus.yml b/.cirrus.yml
index ecbab533..60d66ba1 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -1,5 +1,6 @@
 env:
   ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
+  ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader
   ARTIFACTORY_PRIVATE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
   ARTIFACTORY_DEPLOY_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer username]
   ARTIFACTORY_DEPLOY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
@@ -312,3 +313,23 @@ promote_task:
   <<: *POETRY_INSTALL
   <<: *POETRY_SET_VERSION
   promote_script: cirrus_promote
+
+run_iris_task:
+  depends_on:
+    - promote
+  <<: *LINUX_CONTAINER_DEFINITION
+  # only executed in CRON job AND on master branch
+  only_if: $CIRRUS_CRON == $CRON_NIGHTLY_JOB_NAME && $CIRRUS_BRANCH == "master"
+  env:
+    SONAR_SOURCE_IRIS_TOKEN: VAULT[development/kv/data/iris data.next]
+  matrix:
+    - name: "IRIS SQ NEXT -> Sonarcloud.io"
+      env:
+        SONAR_TARGET_URL: https://sonarcloud.io
+        SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-eu]
+    - name: "IRIS SQ NEXT -> SonarQube.us"
+      env:
+        SONAR_TARGET_URL: https://sonarqube.us
+        SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-us]
+  script:
+    - .cirrus/run_iris.sh
diff --git a/.cirrus/run_iris.sh b/.cirrus/run_iris.sh
new file mode 100755
index 00000000..c39f6c86
--- /dev/null
+++ b/.cirrus/run_iris.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+set -euo pipefail
+
+: "${ARTIFACTORY_PRIVATE_USERNAME?}" "${ARTIFACTORY_PRIVATE_ACCESS_TOKEN?}" "${ARTIFACTORY_URL?}"
+: "${SONAR_SOURCE_IRIS_TOKEN?}" "${SONAR_TARGET_IRIS_TOKEN?}" "${SONAR_TARGET_URL?}"
+
+function run_iris () {
+  java \
+    -Diris.source.projectKey="SonarSource_sonar-scanner-python" \
+    -Diris.source.url="https://next.sonarqube.com/sonarqube" \
+    -Diris.source.token="$SONAR_SOURCE_IRIS_TOKEN" \
+    -Diris.destination.projectKey="SonarSource_sonar-scanner-python" \
+    -Diris.destination.url="$SONAR_TARGET_URL" \
+    -Diris.destination.token="$SONAR_TARGET_IRIS_TOKEN" \
+    -Diris.destination.organization="sonarsource" \
+    -Diris.dryrun=$1 \
+    -jar iris-\[RELEASE\]-jar-with-dependencies.jar
+}
+
+VERSION="\[RELEASE\]"
+HTTP_CODE=$(\
+  curl \
+    --write-out '%{http_code}' \
+    --location \
+    --remote-name \
+    --user "$ARTIFACTORY_PRIVATE_USERNAME:$ARTIFACTORY_PRIVATE_ACCESS_TOKEN" \
+    "$ARTIFACTORY_URL/sonarsource-private-releases/com/sonarsource/iris/iris/$VERSION/iris-$VERSION-jar-with-dependencies.jar"\
+)
+
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "Download $VERSION failed -> $HTTP_CODE"
+  exit 1
+else
+  echo "Downloaded $VERSION"
+fi
+
+echo "===== Execute IRIS as dry-run"
+run_iris "true"
+STATUS=$?
+if [ $STATUS -ne 0 ]; then
+  echo "===== Failed to run IRIS dry-run"
+  exit 1
+else
+  echo "===== Successful IRIS dry-run - executing IRIS for real."
+  run_iris "false"
+fi