How to secure traffic between SonarQube (server) and Sonar Scanner (client)

Hello,

I’m currently using ;

  • SonarQube 7.9.2 running on a docker.
  • Scanner ; Sonar Scanner (version 4.2.0).
  • what I’m trying to achieve ; Secure traffic between SonarQube and Sonar Scanner.

Current commandes used to launch the scan ;

sonar-scanner --debug --define sonar.login=“name-of-account” \
–define sonar.password=“my-password” \
–define sonar.analysis.mode=publish \
–define sonar.host.url=“http://172.17.0.1:9000/” \
–define sonar.sources=“project-name” \
–define sonar.sourceEncoding=“UTF-8” \

Thank you in advance for your help.

Hi.

Two advices:

  1. Put your server behind a proxy (like nginx) and enable HTTPS: https://docs.sonarqube.org/latest/setup/operate-server/

  2. Use user tokens instead of user/password, so you can revoke the token when necessary: https://docs.sonarqube.org/latest/user-guide/user-token/