Skip to content

SonarQube API Token

Service Name: SonarQube

Service Description: SonarQube is an open-source platform for continuous inspection of code quality and security. It performs automatic reviews with static analysis to detect bugs, code smells, and security vulnerabilities in 20+ programming languages.

Service Address: https://www.sonarsource.com/products/sonarqube/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the instance level through network security settings or through a reverse proxy.

Secret Access Scope: Grants programmatic access to SonarQube APIs, allowing users to perform actions based on their permissions, such as analyzing code, retrieving quality metrics, managing projects, and administering the platform.

Secret Revokement URL: https://[your-sonarqube-instance]/account/security

Secret Example: squ_12345678901234567890123456789012345

Suspicious Activity Investigation Instructions:

  • Review SonarQube audit logs for unusual API calls or access patterns
  • Check for unauthorized project access or configuration changes
  • Monitor for unusual code analysis submissions or rule modifications
  • Verify if the token was used from unexpected IP addresses or locations
  • Examine the token's usage history for actions outside normal patterns

Mitigation Instructions:

  • Log in to your SonarQube instance
  • Navigate to User > My Account > Security

  • Locate the compromised token in the list

  • Click the "Revoke" button next to the token
  • Generate a new token with appropriate permissions if needed
  • Update any legitimate applications or CI/CD pipelines with the new token
  • Consider implementing IP restrictions for API access if available in your

deployment

  • Review user permissions to ensure they follow the principle of least privilege