SonarQube Docs API Key
Service Name: SonarQube
Service Description: SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities.
Service Address: https://www.sonarqube.org/
Validation Type: -
IP Allow list: Does not exist
Secret Access Scope: Grants access to SonarQube API for documentation and analysis operations.
Secret Revokement URL: https://docs.sonarqube.org/latest/user-guide/user-token/
Secret Example: d04e2210de6d13be39e2572e114b0f6989d7efc1
Suspicious Activity Investigation Instructions:
- Check SonarQube audit logs for unauthorized API calls or unusual access patterns
- Review project analysis history for unexpected scans or configuration changes
- Examine user activity logs for suspicious logins or permission changes
- Verify if any new projects were created or existing projects were modified without authorization
- Check for unusual data exports or API usage patterns
Mitigation Instructions:
- Revoke the compromised token immediately through the SonarQube user interface
- Navigate to User > My Account > Security
- Locate the compromised token and click the "Revoke" button
- Generate a new token with appropriate permissions if needed
- Review and update access controls for SonarQube projects
- Enable two-factor authentication if available
- Audit all recent activities performed with the compromised token