SonarQube set up behind organization IdP - Causes issue with Github PR Decoration

Versions of Sonar

*SonarQube version: 8.4.2-developer

One of the main issues we are having with SonarQube is that once the server is setup and we access the URL, then anybody can view all projects and code without having to login as a user or admin.

Since we are going to be scanning our organizations private repos, we obviously do not want to publicly expose the SonarQube web URL to the world. We want this server to be accessible only to members of our Organization, and so we have configured it behind our organization’s IDP.
So the url looks something like https://sonar.ourdomain/. If we try to access this URL, the IDP will authenticate using GSuite in the backend and load the page only to our employees

This is causing another issue when it comes to setting up PR Decoration on Github. We setup the serverBaseURL as https://sonar.ourdomain/. Now until and unless we specify the serverBaseURL and the Github app’s webhook URL as http://public_ip:port/ and open the port to allow all inbound access, it is unable to communicate with SonarQube. This means we cannot run the scans through the github workflow and nor do we get the Quality Gate Analysis on the PR.

Is there a workaround to this? I am attaching a screenshot of the Github app sending requests to SonarQube. The first one is when it is configured with public IP and second is when we use URL behind the IDP

Is there a workaround for this? Can anyone help me with this?
I’m sure other organizations also would’ve faced something similar where they would not want to allow all access to their private code repos.


First, your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.4.2 → 8.9.3 → 9.1 (last step optional)

You may find the Upgrade Guide helpful.

Regarding your question, you seem to have some misapprehensions around security. New instances on current versions have authentication turned on by default. You’ll need to toggle it manually: Administration → Security → Force user authentication.

Of course, that means you’ll probably want to set up delegated authentication. The docs should help with that.