Best Security Practices for GitHub App Integration

  • Developer Edition Version 10.3 (build 82913)
  • EC2 instance with Docker Compose

Currently our SonarQube instance is within our Virtual Private Cloud and not accessible to the outside whatsoever. I would really like to use Pull Request decoration with I have created a GitHub App within our organization, but the only way I have gotten it to work thus far is be assigning the instance a public IP address and allowing incoming traffic on port 80, which is less than ideal from a security perspective.

I would like to know what other teams in a similar situation are doing to make sure that their SonarQube server is secure, or if Sonar has any best practices in this area.

Thank you!

Hello Matthieu,

Thank you for your insight.

Are you doing the setup only to be able to see PR decoration in your projects? or do you want also to be able to import your projects from GitHub?

If your only need is to see PR decoration, you do not need to enter your SonarQube URL on GitHub side.

I would like to see the PR decoration on my pull requests.

Hello Matthew,

Thanks for your answer.

The setup should work then without the SonarQube URL.