Best Security Practices for GitHub App Integration

Matthew_Pearson · May 6, 2024, 12:30pm

Developer Edition Version 10.3 (build 82913)
EC2 instance with Docker Compose

Hello,
Currently our SonarQube instance is within our Virtual Private Cloud and not accessible to the outside whatsoever. I would really like to use Pull Request decoration with GitHub.com. I have created a GitHub App within our organization, but the only way I have gotten it to work thus far is be assigning the instance a public IP address and allowing incoming traffic on port 80, which is less than ideal from a security perspective.

I would like to know what other teams in a similar situation are doing to make sure that their SonarQube server is secure, or if Sonar has any best practices in this area.

Thank you!

Ilham · May 21, 2024, 12:58pm

Hello Matthieu,

Thank you for your insight.

Are you doing the setup only to be able to see PR decoration in your projects? or do you want also to be able to import your projects from GitHub?

If your only need is to see PR decoration, you do not need to enter your SonarQube URL on GitHub side.

Matthew_Pearson · May 21, 2024, 3:33pm

I would like to see the PR decoration on my GitHub.com pull requests.

Ilham · May 22, 2024, 2:00pm

Hello Matthew,

Thanks for your answer.

The setup should work then without the SonarQube URL.

Topic		Replies	Views
Help in Decorating Pull Requests SonarQube Server / Community Build sonarqube , pull-request	4	568	July 17, 2020
Need guidance on configuring PR Decoration SonarQube Server / Community Build sonarqube	8	1189	July 25, 2019
Github integration in SonarQube SonarQube Server / Community Build sonarqube	4	483	August 19, 2021
Pull Requests Analysis with GitHub SonarQube Server / Community Build sonarqube , jenkins , pull-request	12	8662	August 9, 2019
PR Decoration in GitHub SonarQube Server / Community Build github , pull-request	3	4735	March 27, 2019

Best Security Practices for GitHub App Integration

Related topics