SonarQube Enterprise Edition additional notifications

Hello team,

We use SonarQube Enterprise Edition to scan our Terraform repositories but seems like we cannot receive any notifications for example on certain vulnerabilities. We do know that we can receive notification for certain action like “New issues” “Quality gate changes” and a few more but not for what I have mentioned. Also we have noticed that having passwords on plain text will not be detected by SonarQube.

Is it possible somehow to setup those features and if they are not available at the moment is there any plan to be included on any future updates?

Hey there.

What kind of notifications are you expecting? “Certain vulnerabilities” is quite broad!

SonarQube includes some level of secret detection. It would be great if you could point to a specific example that isn’t being detected (some code that reproduces the false-negative)

Hello Colin thank you for your reply,

There is a “Vulnerabilities” section so one option would be to be notified for all of them, specifically in our case we have added AWS Access/Secret Key in the code for testing purposes and it has been detected as a Vulnerability so we would like if possible to be notified as well in case that happens by mistake.

module "database" {
  source = "../modules/aws-rds"

  identifier              = local.fullname
  db_name                 = var.db_name
  username                = "test"
  password                = "test122$!@"
  engine                  = "mysql"

The above example has not been detected!

Ideally we would like also to be able to add additional email addresses to be notified by the SMTP address which is already configured, for example in case of a Vulnerability in the code it would be great a group of people to be notified and not only those who have " Set notifications" on the project level.

This post was flagged by the community and is temporarily hidden.

Hey there.

Thanks for your patience.

As noted previously, the built-in notifications will only let you subscribe to all new issues or a change in Quality Gate. If you’re looking for more flexibility in notifications, you might consider sending Webhooks to another system that is responsible for pushing out notifications to certain users / e-mail lists.

I’m not sure if this should be detected by a Terraform-specific hotspot or by Secrets static code analysis: MySQL database passwords should not be disclosed.

Can you post a complete code sample (an entire file) that reproduces the issue over in this category, so I can assign a team to take a look?

Hello Colin,

We tried to send notifications on Slack but unfortunately that did not work, can you please confirm the compatibility of Slack Webhooks with SonarQube? We have only found some 3rd party plugins that could help us achieve that but they are not maintained anymore. On the top of that i do not think you can control the type of notifications via Webhooks, we want to receive only certain alerts and not when every project analysis has been completed.

I believe detecting passwords on plain text should be part of the vulnerability scanning and i would expect to see that alert you have shared with me “MySQL database passwords should not be disclosed”.
As for the code sample the one i have posted here should be enough, otherwise if the responsible team needs it i can share it via email as it includes a module and variables which is not convenient to post it here.

SonarQube is not natively sending webhooks in a format that Slack can understand… “something” would have to catch it in the middle and reformat it to forward it along. You can vote for a more native integration on our roadmap here.

This is a Community Forum, and we have certain rules and structures. :man_shrugging: I reccomend that you post a full code sample that can reproduce the issue in the appropriate category. Keep in mind that SonarSource also offers Commercial Support.