Deprecating the Webhook IP

According to Sonar’s notification:

As a consequence, we are deprecating the public list of IPs - which you might have configured on your systems. As of June 1st 2019, this list will be removed from the public documentation and the IPs of SonarCloud webhook might therefore change at any point in the future. If you were relying on this list to trust the origin of SonarCloud webhooks, you should consider updating your system to rely on the secret mechanism.

At present we use Jenkins for cooperation with SonarCloud. In order to limit access to Jenkins we whitelisted SonarCloud Webhook IPs.
After SonarCloud Team remove Webhook IPs we have to open Jenkins for all world for accepting response but it is not secure.

Could you, please, provide any secure solutions?
Thank in advance

Hi Viktor,

Your raise a valid point that will be addressed with I don’t have workarounds for the time being.


We have exactly the same issue. Starting from this weekend sonarcloud stopped using one of the previously whitelisted ips and our pipelines stopped working.

We can’t open jenkins to the world if the plugin doesn’t support validating the requests signature.

@Darkheir Just to give a quick update, we recognize this is an important issue. We’ll try to handle it soon.

Hi @Viktor_Kucher and @Darkheir ,

We’ve released version 2.10 of the SonarScanner for Jenkins that can now validate the webhook payload.
You can add a secret to your webhook on SonarCloud and, thanks to this new version of the plugin, set the secret in Jenkins.
For more details, take a look at the documentation here.

1 Like