Connect to Github Action without externally exposing entire server

We are running SonarQube v9.2.4 on an internal, VPN only network. I am trying to set up a Github integration. To do so, I will need to expose the Sonarqube endpoint. In documentation, it says to give Github your base URL, ie We would prefer to not expose the generic .com URL.

What URL(s) does Github Action actually hit? Can we put just those endpoints in the Github App? Or, could we just expose those endpoints?

Hey there.

Surely some DEBUG level logs will reveal to you each API call that the scanner makes (add -X under args), and you could derive the list of allowed endpoints from there.

And, these endpoints could change from SonarQube version to SonarQube version and shouldn’t be considered as an API (if they change, we aren’t going to make noise about it).

Typically when an organization has such requirements and doesn’t want to move their SonarQube instance the cloud, we would suggest using self-hosted runners.