How to reverse engineer the Sonar Web API

Every action that is taken in the SonarQube / SonarCloud UI is driven by the Web API. There is nothing you can do in SonarQube / SonarCloud that you cannot do using the Web API.

:warning: We put a great deal of effort into the UI and UX of our products and sincerely think that most actions should be completed there. Especially when it comes to viewing analysis results, the UI is the best place to view up-to-date information with the right context. We think it is much better that you give access to others to view analysis data within our products, rather than craft some export.

And, we recognize that there are common administrative actions where using Web APIs to help with automation makes sense. There are also surely some interesting reports not available in the UI where you would need to export the data from SonarQube.

A link to the Web API documentation for your SonarQube instance can always be found in the footer of your instance. The SonarCloud Web API is documented here.

You’ll find that most endpoints are properly documented, while some are not or are lacking in documentation.

If you’re not sure which Web API to use, you can reverse engineer what’s happening in the UI by diving into your browser’s dev tools.

Example: Retrieve historical coverage measures

  • Go to the Activity tab of a project

  • Open your browser’s dev tools (here we’ll use Chrome), switch to the Network tab, and select the Fetch/XHR filter:

  • Switch the metric filter to Coverage

Suddenly, it’s very clear from the Request URL which API was called. The Payload tab and Preview/Response tabs make it clear what query parameters are used and what the response was.

Thanks to Discourse for the inspiration

How to get metrics from sonarqube api
Download the Project specific Security Report using API
SonarCloud API for monorepo project import
User data export
SonarCloud long-lived and short-lived branches
SonarCloud API to get details of Vulnerability analysis results in the Azure DevOps Pull Request
Export sonarqube report in excel using Azure devops pipeline
[WebApi] Endpoint to set default project visibility?
Check user information API Rest SonarCloud
Apply Quality Gates Automatically for the specific Projects in SonarQube
Rest Api call to download project pdf report
SonarQube API - rating issue
Data Dictionary to get information
Technical dept report per tag
Powershell script to pull the sonarqube metrics and show the results in Pull Request
Retrieve analysis resuslts from python with web api
Extracting last analysis on a specific branch
Get sonarqube projects metrics using api
Import bitbucket project through web_api
Exported sonarqube report for developer version is in .pb format, how to read it
Can we export data from SonarQube to Power BI?
Need to generate a delta report for sonarqube analysis
What is the metric value for security ratings (measure) in SonarQube
Get the Git Repository Name from the SonarQube
How to filter on project key using api/components/search_projects?
Azure DevOps group sync in SonarCloud
Get Notifications When an Issue is Marked as 'False Positive' or 'Won't Fix'
Renew Azure DevOps token via WebAPI
About multiple different versions of SQ data merging
Sonar REST API - date of scanning and Coverage on the same RESTAPI
SonarQube Exporting a Parseable Results File
Sonar analysis overview shows less number of Majors,blockers,criticals
Get all active rules by Quality Profile via API
Query to get all the issues for the project and branch
How to get the list of projects failing due to the specific rule
Setting Quality Gate Permissions via API
Why do I need admin privileges to list projects using the web API?
How to set DevOps Platform Integration properties thru properties file
Retrieving issues and measures data file for a component for given history date
SonarQube Reporting
Present analysis to customer (report)
How to get sonar metrics based on commit id or date of commit
Api/project_tags/set overwrites existing tags
Visualization and reporting
I want to Generate and download Sonarcloud reports via API
Getting Test Coverage data into Power BI
Web API for SonarQube SubPortfolios
Easily see which group has access to which projects?
SonarQube Health alert from ADO pipeline
SonarQube Reporting - Excel Spreadsheets
Fetch projectKey which has tag
API returns the same value
Regulatory Report / API report Customization
Jenkins Master and GitLab Repository information Required from SonarQube
How to get coverage value from sonarqube using rest API (JAVA)
New Code vs Overall Code for Quality Gate Conditions created using SonarCloud Web API
Difference between Two Code Scans for same branch
Add quality profile by a script
How to fetch metric details such as Bugs, Vulnerabilities, etc. using SonarQube CLI?
Using reference branch parameter in pipelines sonar.newCode.referenceBranch

Hi Colin, i really like this explanation. I am not that much interested in frontend development and that made it hard for me to “grok” the easy way that Ann mentioned in some replies (how to eavesdrop on the Web API usage) :+1: For this, your howto helps a lot!

Concerning the below quoted paragraph (and combining it with your current survey question about “communitysm”) … maybe you might be able to find a way how to “channel” some energy concerning “common administrative actions”? I really would be looking forward to it! (because some lonely helpful threads really get easily lost in the sea of new postings).

Sadly, i was not able to find an easy solution … how to structure that? By tag? In its own “compartment” (e.g. smth like here)? I have no good suggestion to make :confused:

1 Like

Hey Colin,

great post! This is exactly what I have been using for years to get in deeper with many tools.
I remember with a shudder the crappy browser tools of IE 11, but these days press F12 and start diving :joy:


1 Like

I hope this is on-topic (enough), but I’ve been using both the Web API documentation and the network activity in the UI to help me with building automations for SonarCloud. The Web API is especially useful as it let’s me generate a typed client by inspecting (I have a go-sonarcloud client which, in turn, is used to build a Terraform provider for SonarCloud.)

My question is now: how should I deal with either deprecated endpoints or endpoints that are missing in the webservices/list? I figure for missing endpoints I could open a feature request at , though it doesn’t feel like a feature request.

As an example of where I’m having problems: there are two important endpoints regarding permissions that have been marked deprecated for well over a year, but they still work. The API endpoints that replace them are not registered yet in the Web API Documentation, though they are in use by the UI. I’m still using the deprecated API endpoints, simply because I can generate the client code for them. I’d have to do manual work to add support for the new endpoints, and I kind of hate doing manual work :sweat_smile:.

Do you have any tips for a course of action here @Colin?

1 Like