SonarQube security hardening

SonarQube 8.9.3
SonarScanner for Azure DevOps 5.x / 4.x

Hi!

We are planning to integrate SonarScanner for Azure DevOps into our pipelines and because our pipelines run on Microsoft-hosted agents, we’ll have to expose our SonarQube server to the internet. To reduce attack surface, we would like to expose only those SonarQube APIs that are necessary for the SonarScanner to function properly. Any suggestions on which APIs we should expose?

Hi,

Welcome to the community!

To be clear, when you say “expose” I guess you mean “make visible outside your network”?

Regarding the API list, the easiest thing to do here is run an analysis & see which APIs are called. I could rattle off a few, but I might miss some.

 
HTH,
Ann

Yes, that’s exactly what I meant. We’ll proceed with your suggestion. Thank you!