SonarQube with Vault support

Are there any plans to provide native support for Vault with SonarQube? We need to put the secrets related to JDBC connection and Github secrets related to login and PR decorator in sonar.properties file. It would be nice for SonarQube to directly fetch those values from a Vault store.

Hi Vijay,

At the moment, there are no plans to include native integration of Vault nor other secret management solutions as an out-of-the-box feature in SonarQube.

Generally, there are three ways for an Application like SonarQube to retrieve a secret handled by Vault: (1) natively, (2) via environment variable or (3) through a secrets file. While the first one is discarded for now on our side, the other two are available as entry points in SonarQube. Some security organisations consider passing Secrets in Environment Variables as bad practice, including HashiCorp. So let’s look at using a file (e.g. sonar.properties) that you can also secure via standard OS functionality.

While I am not an expert in Vault, I would recommend to have a look at Vault Agent and Consul Template, which are both tools from HashiCorp. These should allow to integrate Vault with 3rd party applications which do not natively bring Vault integration out of the box, such as SonarQube. An excerpt follows:

“Vault Agent manages retrieving an auth token and stores it in a file . Consul Template provides a convenient way to populate values from Consul or Vault into the file system. It will read the Vault token and use it to retrieve the secrets our applications need. The application can simply read the secrets from a file. However, the application might have to reread the secret from the file. Consul Template handles secret renewal automatically . Consul Template can restart the application automatically once secrets we depend on change […]. The picture below illustrates the responsibilites of the components.”

Extracted from the publicly available article Integrating applications and Vault with Vault Agent and Consul Template.

This is to say, it should be possible to integrate SonarQube with Vault thanks to the elements above, using a combination of sonar.properties, Vault Agent and Consul Template. Consul Template could re-write periodically the new (encrypted!) credentials in the file and restart the application automatically. And this is a setup task that, provided it matches your requirements, you would need to carry on your side.

Hope it helps, cheers,
Daniel

2 Likes