Exposing SonarQube API for cloud deployment and/or use with hosted agents - securing SonarQube API


(Jean van Caloen) #1


We need to expose our onpremise-hosted Sonarqube instance in order to be able to analyze builds that run on hosted agents (Azure DevOps). We would leverage a reverse proxy. In order to do this in a secure way, we would like to have some authentication on the connection. It seems however that some API methods are not authenticated and these are called before a token gets used (check version, get users, download jar file).

We’re currently analyzing 2 tracks:

  • implement the unauthenticated calls in a static fashion on the reverse proxy in order to limit access/avoid misuse, setup a kind of whitelisting for subsequent calls from the same IP once authenticated
  • use a SSL/SSH tunneling mechanism to create a secure/authenticated channel towards the reverse proxy which will then tunnel all calls (possibly with stunnel)


  1. Is there a way to deploy SonarQube which is more secure and acceptable to expose on Internet?
  2. Did anyone already implement such setup?
  3. Is there any effort to secure the sonarqube API?


(Jean van Caloen) #2

Can I get any feedback on this topic please?