DISA's Security Technical Implementation Guide (STIG) for SonarQube

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube 7.9)
  • what are you trying to achieve
    Trying to implement DISA’s Security Technical Implementation Guide (STIG) for SonarQube.
  • what have you tried so far to achieve this
    Reviewed technical documentation, however, I can’t find whether application has a setting to limit the number of concurrent connections for accounts. I’ll also appreciate any information or documentation relating to STIG implementation for SonarQube.


Welcome to the community!

I’m having trouble crafting an answer to your post because the questions aren’t clear to me.

Are you talking about how many users can access the interface at one time? The only limits are the ones imposed by your infrastructure’s ability to handle the load.

Are you talking about how many analyses can run simultaneously? The answer is the same, since analysis interacts with the server via web service calls.

SonarQube is about static code analysis, and my reading tells me that STIG is more about infrastructure and application configuration. So… from that perspective it feels a bit like apples and oranges. However, it seems there are STIG-compliance scanners you can use, and they output reports. Presumably those report findings could be translated to the Generic Issue Data format and pulled in to SonarQube that way…

I’m not sure it does, but I hope this helps.


Hi! Thank you for you response. My apologies for the confusion and the way I formulated my questions. I am researching the application for a government client and wanted to know whether you had any information or documentation of implementing STIGS to SonarQube. STIGS are a guide used by many government agencies to harden applications such as yours and the underlying infrastructure.

The guide has multiple requirements that an application must meet to be considered compliant. And the question was whether SonarQube can limit the number of concurrent sessions that a singled user can have open. The goal here is to prevent a single user to open multiple browser and create multiple sessions; or better yet, to prevent a DOS attack.


In that case it’s a lot easier to answer. :smile:


I’m pretty sure the answer to this is also “no”, but I’m checking internally. If you don’t hear anything further on this topic then the answer is “no”.

I know this isn’t what you were hoping for, but at least it’s the truth.



MMF-2131 - SonarQube provides DOD-approved Docker images

Target “soon”.


FYI, from SonarQube 8.5 you’ll find new releases in the Iron Bank.