As it turns out, me and my colleague just talked at cross-purposes and he is content with exposing our internal SonarQube server to the internet as long as we forbid anonmyous calls as descibed here by @simon.brandhof .
This question can be closed now.