Skip to content

SonarQube API Token

Service Name: SonarQube

Service Description: SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.

Service Address: https://www.sonarqube.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the SonarQube instance level through configuration settings.

Secret Access Scope: Grants programmatic access to SonarQube APIs, allowing users to perform operations such as code analysis, retrieving quality metrics, managing projects, and accessing administrative functions depending on the user's permissions.

Secret Revokement URL: https://docs.sonarqube.org/latest/user-guide/user-account/generating-and-using-tokens/

Secret Example: squ_12345678901234567890123456789012345678

Suspicious Activity Investigation Instructions:

  • Review SonarQube audit logs for unusual API calls or access patterns
  • Check for unauthorized project access or modifications
  • Monitor for unexpected code analysis runs or configuration changes
  • Verify if the token has been used from unusual IP addresses or locations
  • Examine any changes to quality gates, quality profiles, or permission settings

Mitigation Instructions:

  • Log in to your SonarQube instance with administrator credentials
  • Navigate to your user account settings (click on your profile icon in the top-right

corner)

  • Select "Security" or "My Account" depending on your SonarQube version
  • Find the compromised token in the "Tokens" section
  • Click the "Revoke" button next to the token
  • Generate a new token if needed, with appropriate permissions
  • Update any legitimate applications or CI/CD pipelines with the new token
  • Consider implementing IP restrictions for API access if available in your

SonarQube version