Skip to content

SonarQube Docs API Key

Service Name: SonarQube

Service Description: SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities.

Service Address: https://www.sonarqube.org/

Validation Type: -

IP Allow list: Does not exist

Secret Access Scope: Grants access to SonarQube API for documentation and analysis operations.

Secret Revokement URL: https://docs.sonarqube.org/latest/user-guide/user-token/

Secret Example: d04e2210de6d13be39e2572e114b0f6989d7efc1

Suspicious Activity Investigation Instructions:

  • Check SonarQube audit logs for unauthorized API calls or unusual access patterns
  • Review project analysis history for unexpected scans or configuration changes
  • Examine user activity logs for suspicious logins or permission changes
  • Verify if any new projects were created or existing projects were modified without authorization
  • Check for unusual data exports or API usage patterns

Mitigation Instructions:

  • Revoke the compromised token immediately through the SonarQube user interface
  • Navigate to User > My Account > Security
  • Locate the compromised token and click the "Revoke" button
  • Generate a new token with appropriate permissions if needed
  • Review and update access controls for SonarQube projects
  • Enable two-factor authentication if available
  • Audit all recent activities performed with the compromised token