Versions of Sonar
*SonarQube version: 8.4.2-developer
*Scanner: 4.6.2.2472-linux
One of the main issues we are having with SonarQube is that once the server is setup and we access the URL, then anybody can view all projects and code without having to login as a user or admin.
Since we are going to be scanning our organizations private repos, we obviously do not want to publicly expose the SonarQube web URL to the world. We want this server to be accessible only to members of our Organization, and so we have configured it behind our organization’s IDP.
So the url looks something like https://sonar.ourdomain/. If we try to access this URL, the IDP will authenticate using GSuite in the backend and load the page only to our employees
This is causing another issue when it comes to setting up PR Decoration on Github. We setup the serverBaseURL as https://sonar.ourdomain/. Now until and unless we specify the serverBaseURL and the Github app’s webhook URL as http://public_ip:port/ and open the port to allow all inbound access, it is unable to communicate with SonarQube. This means we cannot run the scans through the github workflow and nor do we get the Quality Gate Analysis on the PR.
Is there a workaround to this? I am attaching a screenshot of the Github app sending requests to SonarQube. The first one is when it is configured with public IP and second is when we use URL behind the IDP
Is there a workaround for this? Can anyone help me with this?
I’m sure other organizations also would’ve faced something similar where they would not want to allow all access to their private code repos.