Skip to main content

SonarQube

SonarQube integration allows your product to connect with SonarQube's code quality and security platform to retrieve project metrics, vulnerabilities, code smells, and issues. This integration is ideal for static code analysis (SAST), developer security workflows, and continuous code quality tracking, enabling your platform to ingest findings directly from SonarQube scans (cloud or self-hosted). It uses the SonarQube Web API, available in both SonarCloud (cloud) and SonarQube Server (self-hosted) deployments.

Credentials Needed

To connect to SonarQube's API, you need one of the following credentials:

Required credentials:

  • SonarQube API Token (Personal or Project-level)
  • SonarQube Base URL (e.g., https://sonarqube.company.com or https://sonarcloud.io)

The API token acts as the authentication credential — it replaces username/password in API requests. You can create tokens for specific users, projects, or automation accounts.

Permissions Needed / API Scopes

SonarQube uses token-based access. Permissions are inherited from the user or service account that created the token.

PermissionDescription
Browse ProjectsRead project and issue data
Execute Analysis (optional)Needed if triggering scans
View IssuesRead vulnerabilities, code smells, and bugs
Administer Projects (optional)Manage quality gates and metrics
Global Administrator (optional)For organization-level integration

Minimum Required Permission: Browse Projects and View Issues

Creating Users / Access Tokens

Step 1: Generate an API Token

  1. Log in to your SonarQube or SonarCloud instance
  2. Navigate to your User Account → My Account → Security
  3. Under the Tokens section, click Generate Token
  4. Provide a descriptive name (e.g., IntegrationToken)
  5. Click Generate, then copy the token — e.g., 92b09c-1234-5678-abcdef98765
  6. Store this token securely in your product's secret vault

Test Connectivity

You can verify the token and connection by calling the api/authentication/validate endpoint.

Example: Validate Authentication

curl -u <SONARQUBE_TOKEN>: \
  "https://sonarqube.company.com/api/authentication/validate"

Example Response:

{"valid": true}

Example: List All Projects

curl -u <SONARQUBE_TOKEN>: \
  "https://sonarqube.company.com/api/projects/search"

Example Response:

{
  "paging": {"pageIndex": 1, "pageSize": 100, "total": 2},
  "components": [
    {"key": "backend-service", "name": "Backend Service", "qualifier": "TRK"},
    {"key": "frontend-ui", "name": "Frontend UI", "qualifier": "TRK"}
  ]
}

Example: Get Issues for a Project

curl -u <SONARQUBE_TOKEN>: \
  "https://sonarqube.company.com/api/issues/search?componentKeys=backend-service&types=VULNERABILITY"

Example Response:

{
  "total": 3,
  "issues": [
    {
      "key": "AX1ZcKRTy2bcZPzZQ3W",
      "rule": "javascript:S5144",
      "severity": "CRITICAL",
      "message": "Make sure that using this request is safe here.",
      "component": "backend-service:src/api/server.js",
      "line": 78,
      "type": "VULNERABILITY"
    }
  ]
}

Save the Results in the Platform and Create Connection

  1. In your product's integration setup, securely store:
    • SONARQUBE_BASE_URL
    • SONARQUBE_API_TOKEN
  2. Label the connection as SonarQube Integration
  3. Test the connection by listing projects or validating the token
  4. Once verified, enable workflows such as:
    • Pulling vulnerability, bug, and code smell data
    • Aggregating SonarQube metrics into dashboards
    • Correlating project security issues with other vulnerability data

Best Practices

  • Use project-level tokens for least-privilege access
  • Store credentials securely in your platform's secret manager
  • Rotate API tokens every 90 days
  • Respect SonarQube rate limits (typically 1,000 requests/hour per token)
  • Implement pagination (p and ps parameters) for large result sets
  • Sync data incrementally using createdAfter filters
  • Map SonarQube severities to your platform's internal severity model (e.g., Critical → High)
  • Include links to SonarQube issues for developer traceability

Useful SonarQube API Endpoints

ResourceMethodEndpointDescription
Validate tokenGET/api/authentication/validateVerifies token validity
List projectsGET/api/projects/searchRetrieves all accessible projects
Get issuesGET/api/issues/searchFetch vulnerabilities, bugs, and code smells
Get measuresGET/api/measures/componentGet project metrics (coverage, duplication, etc.)
Get rulesGET/api/rules/searchList active static analysis rules
List componentsGET/api/components/searchGet source file metadata
Get hotspotsGET/api/security_hotspots/searchRetrieve security hotspots for a project

Official Docs:

  • SonarQube Web API Documentation
  • SonarQube REST API Reference

Example: Get Security Hotspots

curl -u <SONARQUBE_TOKEN>: \
  "https://sonarqube.company.com/api/security_hotspots/search?projectKey=backend-service"

Example Response:

{
  "paging": {"pageIndex": 1, "pageSize": 100, "total": 1},
  "hotspots": [
    {
      "key": "AX2dfYdTz3klHhPzL",
      "component": "backend-service:src/api/server.js",
      "line": 120,
      "status": "TO_REVIEW",
      "message": "This use of 'eval' is potentially dangerous.",
      "vulnerabilityProbability": "HIGH"
    }
  ]
}

Example: Unified Vulnerability Record in Your Platform

{
  "tool": "sonarqube",
  "project": "backend-service",
  "file": "src/api/server.js",
  "line": 78,
  "type": "VULNERABILITY",
  "severity": "CRITICAL",
  "rule": "javascript:S5144",
  "message": "Make sure that using this request is safe here.",
  "cwe": "CWE-94",
  "source_link": "https://sonarqube.company.com/project/issues?id=backend-service&open=AX1ZcKRTy2bcZPzZQ3W"
}

Webhook Integration (Optional)

SonarQube supports webhooks for scan completion notifications — ideal for triggering ingestion in your product when new analysis is done.

Setup Steps

  1. Go to Administration → Configuration → Webhooks
  2. Click Create
  3. Provide:
    • Name: PlatformWebhook
    • URL: https://yourplatform.com/webhooks/sonarqube
  4. Save and test the webhook

SonarQube will POST a JSON payload to your webhook URL whenever a project scan completes.

Example Webhook Payload

{
  "serverUrl": "https://sonarqube.company.com",
  "taskId": "AX3a1Y9BabcDEF1234",
  "status": "SUCCESS",
  "analysedAt": "2025-10-13T10:00:00+0000",
  "project": {
    "key": "backend-service",
    "name": "Backend Service",
    "url": "https://sonarqube.company.com/dashboard?id=backend-service"
  },
  "branch": {
    "name": "main",
    "type": "BRANCH"
  },
  "qualityGate": {
    "name": "Default",
    "status": "OK"
  }
}

Example Workflow

  1. Webhook received on scan completion
  2. Platform triggers API call to /api/issues/search for updated issues
  3. Normalize findings into unified vulnerability schema
  4. Link back to SonarQube for developer remediation and tracking