Securing access from GitHub to SonarQube instance

SonarQube version: 9.3.0.51899

Recently I’ve setup a SonarQube instance with SonarScanners working from GitHub Actions. The server is secured via HTTPS but is externally accessible right now due to GitHub needing access, and I’m looking for ways to secure that access further.

One option is of course to use GitHub’s IP list and setup whitelist rules for every IP, but this route seems more trouble than it’s worth.

Another option GitHub has is a way to secure webhooks with a secret. However, looking through the SonarQube documentation/settings I can’t find anything about this integration. Is it possible to secure GitHub webhooks with a secret and have SonarQube verify the signature for each request?

Additionally, is there any further configuration we can implement to secure SonarQube while still being accessible from GitHub?

Hi,

Welcome to the community!

Are you talking about webhooks called from GitHub to notifiy SonarQube (of what?) or SonarQube webhooks to notify GitHub? If the latter, you can indeed configure a secret into SonarQube webhooks. The docs should help.

 
HTH,
Ann

Hi Ann,

Sorry, I’m confusing myself a bit. I was conflating posting of the test results to the SonarQube API from GitHub as a webhook. Since API access is secured via a token, I think that we’re safe there.

In terms of the second part, SonarQube webhooks to notify GitHub, I think that’s outside the scope of our current setup? Right now GitHub kicks off the SonarScanner action on new commits which then posts to our SonarQube instance when done. SonarQube posts back to the GitHub API to comment on PRs via the app credentials. In which case, we couldn’t/don’t need to setup any webhook secrets on the SonarQube side (would only be possible/required if we setup our own server to accept webhooks from SonarQube)?

Do I have that right/are there any other communication pieces I’m missing there?

Hi,

No, I think you’re probably good.

 
Ann