SonarQube integration with GitHub (private network)

openshift4 · March 9, 2023, 7:03pm

Make sure to tell us:

What version are you upgrading from?
System information (Operating system, Java version, Database provider/version)
What’s the issue you’re facing?

Hi SQ community,

We have SonarQube 9.9 LTS installed in our internal network. Only internal people can access SQ.
For any application to be exposed to the outside world, we need to publish an API on our external API gateway and the external API gateway demands authentication (OIDC for authentication and OAuth for Authorization).

On GitHub action, using GitHub runners, we can use cURL in order to send a request to our SonarQube API (e.g., api/monitoring/metric).

In the cURL, we need to specify two headers:

authorization with external API gateway = Authorization: bearer XXXX
SonarQube specific header for authentication = X-Sonar-passcode: YYYY

and it works!

The problem arises when we want to use SonarQube Scanner or mvn, .NET or gradle scanners.
We can’t set this Authorization header in most of them, or at least i don’t know.
For instance, Official SonarQube Scan · Actions · GitHub Marketplace · GitHub entails the following:

  uses: sonarsource/sonarqube-scan-action@master
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

And we receive an error when it spawns a docker and there is a Java application inside that can’t authenticate with our external gateway.

Or, in the following (SonarQube Scan · Actions · GitHub Marketplace · GitHub), again we can’t set the authorization header, as most of examples assume your SonarQube instance is visible and accessible directly from GitHub.

    #- name: SonarQube Scan
    #  uses: kitabisa/sonarqube-action@v1.2.0
    #  with:
    #    host: ${{ vars.SQ_URL_ACPT }}
    #    login: "JAJAJAJAJAJAJAJ"

There are two questions:

What should we do in this scenario? what is the best practice?
(less important question) What kinds of projects can this official action (Official SonarQube Scan · Actions · GitHub Marketplace · GitHub) analyze if it says on its page it doesn’t cover all technologies?

This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives:
Your code is built with Maven. Read the documentation about our Scanner for Maven.
Your code is built with Gradle. Read the documentation about our Scanner for Gradle.
You want to analyze a .NET solution. Read the documentation about our Scanner for .NET.
You want to analyze C/C++ code. Read the documentation on analyzing C/C++ code.

I really appreciate your assistance in advance.

Wouter_Admiraal · March 17, 2023, 1:02pm

Hi @openshift4,

Just to be clear, X-Sonar-Passcode is not intended to be used for all communication with SonarQube. Its intent is to provide access to certain specific webservice endpoints without needing to use authentication tokens (its mainly intended for monitoring). You cannot rely on it to secure your SonarQube instance from the outside, as it will simply not work for some endpoints.

Why is the Authorization header not enough? The scanners use an Authentication: Basic [base64 encoded token] header to communicate with SonarQube. Why is this not considered safe enough in your context?

Basically, all the others we support : JS, PHP, Python, Go, Swift, Terraform, etc.