SonarQube integration with GitHub (private network)

openshift4 · March 9, 2023, 7:03pm

Make sure to tell us:

What version are you upgrading from?
System information (Operating system, Java version, Database provider/version)
What’s the issue you’re facing?

Hi SQ community,

We have SonarQube 9.9 LTS installed in our internal network. Only internal people can access SQ.
For any application to be exposed to the outside world, we need to publish an API on our external API gateway and the external API gateway demands authentication (OIDC for authentication and OAuth for Authorization).

On GitHub action, using GitHub runners, we can use cURL in order to send a request to our SonarQube API (e.g., api/monitoring/metric).

In the cURL, we need to specify two headers:

authorization with external API gateway = Authorization: bearer XXXX
SonarQube specific header for authentication = X-Sonar-passcode: YYYY

and it works!

The problem arises when we want to use SonarQube Scanner or mvn, .NET or gradle scanners.
We can’t set this Authorization header in most of them, or at least i don’t know.
For instance, Official SonarQube Scan · Actions · GitHub Marketplace · GitHub entails the following:

  uses: sonarsource/sonarqube-scan-action@master
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

And we receive an error when it spawns a docker and there is a Java application inside that can’t authenticate with our external gateway.

Or, in the following (SonarQube Scan · Actions · GitHub Marketplace · GitHub), again we can’t set the authorization header, as most of examples assume your SonarQube instance is visible and accessible directly from GitHub.

    #- name: SonarQube Scan
    #  uses: kitabisa/sonarqube-action@v1.2.0
    #  with:
    #    host: ${{ vars.SQ_URL_ACPT }}
    #    login: "JAJAJAJAJAJAJAJ"

There are two questions:

What should we do in this scenario? what is the best practice?
(less important question) What kinds of projects can this official action (Official SonarQube Scan · Actions · GitHub Marketplace · GitHub) analyze if it says on its page it doesn’t cover all technologies?

This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives:
Your code is built with Maven. Read the documentation about our Scanner for Maven.
Your code is built with Gradle. Read the documentation about our Scanner for Gradle.
You want to analyze a .NET solution. Read the documentation about our Scanner for .NET.
You want to analyze C/C++ code. Read the documentation on analyzing C/C++ code.

I really appreciate your assistance in advance.

Wouter_Admiraal · March 17, 2023, 1:02pm

Hi @openshift4,

Just to be clear, X-Sonar-Passcode is not intended to be used for all communication with SonarQube. Its intent is to provide access to certain specific webservice endpoints without needing to use authentication tokens (its mainly intended for monitoring). You cannot rely on it to secure your SonarQube instance from the outside, as it will simply not work for some endpoints.

Why is the Authorization header not enough? The scanners use an Authentication: Basic [base64 encoded token] header to communicate with SonarQube. Why is this not considered safe enough in your context?

Basically, all the others we support : JS, PHP, Python, Go, Swift, Terraform, etc.

openshift4 · April 12, 2023, 2:17pm

Thanks for your response.

You partially answered my questions. The only question which is remained is the following:

We want to integrate GitHub cloud enterprise with our on-prem SonarQube instance.

For instance, we used Official SonarQube Scan · Actions · GitHub Marketplace · GitHub that entails the following:

  uses: sonarsource/sonarqube-scan-action@master
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

The above GitHub action spawns a docker image.

This is how we need to authenticate a request coming to our network from outside:

It must be get authenticated in the API gateway (OAuth) = Authorization: bearer XXXX
Then it goes to SonarQube that expects the X-Sonar-passcode header

The issue is, we cannot set an additional header(Authorization: bearer) in the official GitHub action or SonarScanner for .NET

If we skip the first header (Authorization: bearer), we can reach SonarQube and perform our analysis but the connection is not authenticated before reaching SonarQube!

Any ideas?

Wouter_Admiraal · April 28, 2023, 9:01am

The thing is, you cannot have multiple Authorization headers (as per the HTTP standard). And the scanner is already sending one. So I don’t really see how we could easily solve this unless your gateway can look into different HTTP headers. Like Proxy-Authorization?