Authentication overview

SonarQube and SonarCloud, core products of SonarSource, provide static analysis and code quality management. Securing access to these platforms is managed through various authentication mechanisms, allowing users and automated systems to interact with scan results, quality gates, and project configurations. The choice of authentication method often depends on the deployment model (self-hosted SonarQube versus SaaS SonarCloud), organizational security policies, and integration requirements with existing identity providers.

For SonarQube, administrators configure authentication settings directly on the server, offering flexibility for integration with corporate directories. SonarCloud, as a cloud-based service, integrates with common identity providers and offers streamlined setup for individual users and organizations. Both platforms emphasize a layered security approach, combining authentication with role-based access control (RBAC) to ensure that users only have permissions relevant to their responsibilities within development workflows.

The primary goal of Sonar's authentication system is to verify user identity before granting access to code analysis results, project dashboards, and administrative functions. This is crucial for maintaining the integrity and confidentiality of code quality metrics and security vulnerability reports. The system also supports programmatic access for CI/CD pipelines and external tools through dedicated credentials, facilitating automated quality gates and reporting.

Supported authentication methods

SonarQube and SonarCloud offer diverse authentication methods to accommodate various organizational structures and security requirements. These methods range from internal user management to integrations with external identity providers.

Internal authentication

  • Built-in Users: SonarQube and SonarCloud allow for the creation and management of user accounts directly within the platform. This method is suitable for smaller teams or initial setups where integration with external directories is not a priority. Users are typically created by an administrator and can manage their own passwords.
  • Personal Access Tokens (PATs): PATs are alphanumeric strings generated by users within their Sonar profile. They serve as an alternative to user credentials for authenticating API requests, CI/CD pipeline scans, and integrating with external tools. PATs are scoped to the user who generates them and inherit that user's permissions. They are a common method for programmatic access to SonarQube and SonarCloud APIs, as detailed in the SonarQube user guide on access tokens.

External authentication

  • LDAP (Lightweight Directory Access Protocol): SonarQube can integrate with an existing LDAP directory to authenticate users. This allows organizations to leverage their centralized user management system (e.g., Active Directory) for SonarQube access, ensuring consistent user identities and group memberships. Configuration involves specifying LDAP server details and mapping user attributes.
  • SAML (Security Assertion Markup Language): SAML-based authentication enables single sign-on (SSO) for SonarQube and SonarCloud, allowing users to authenticate once with an identity provider (IdP) and gain access to Sonar without re-entering credentials. This enhances user experience and centralizes identity management.
  • OAuth 2.0: SonarCloud supports OAuth 2.0 for integration with popular identity providers like GitHub, GitLab, Bitbucket, and Azure DevOps. This allows users to sign in using their existing accounts from these platforms, simplifying onboarding and credential management. OAuth 2.0 is an industry-standard protocol for authorization, as described by the OAuth 2.0 specification.

The following table summarizes the key characteristics of each authentication method:

Method When to Use Security Level
Built-in Users Standalone Sonar instances, small teams, initial setup. Moderate (password policy dependent, internal management).
Personal Access Tokens (PATs) Automated processes, CI/CD pipelines, API access, integrations. High (short-lived, scoped, revocable).
LDAP Enterprise environments with existing LDAP/Active Directory. High (centralized user management, leverages existing infrastructure).
SAML Organizations requiring Single Sign-On (SSO) with an IdP. High (centralized identity, reduced password fatigue).
OAuth 2.0 Integration with cloud-based Git providers (GitHub, GitLab, etc.). High (delegated authorization, leverages provider's security).

Getting your credentials

The process for obtaining credentials varies based on the chosen authentication method for SonarQube or SonarCloud.

Built-in users

For built-in users, credentials consist of a username and password. On SonarQube, an administrator typically creates the initial user accounts. Users can then change their password by navigating to their profile settings. For SonarCloud, users can create an account directly or be invited by an organization administrator.

Personal Access Tokens (PATs)

PATs are generated by individual users within their Sonar profile. The general steps are:

  1. Log in to your SonarQube instance or SonarCloud account.
  2. Navigate to your user profile (usually by clicking on your avatar or username in the top right corner).
  3. Select the 'Security' tab or section.
  4. Look for a section related to 'Personal Access Tokens' or 'Generate Tokens'.
  5. Provide a descriptive name for the token (e.g., 'CI Pipeline Token') and optionally set an expiration date.
  6. Click 'Generate' or 'Create'. The token will be displayed once. Copy it immediately as it will not be shown again for security reasons.

Refer to the SonarQube documentation for generating and managing Personal Access Tokens for detailed instructions specific to your SonarQube version or SonarCloud.

LDAP, SAML, and OAuth 2.0

For these external authentication methods, credential management is handled by the integrated identity provider:

  • LDAP: Users authenticate with their existing corporate directory credentials. SonarQube does not store these passwords but delegates authentication to the LDAP server. Administrators configure the LDAP connection settings on the SonarQube server.
  • SAML: Users authenticate via their organization's Identity Provider (IdP). The IdP issues a SAML assertion to Sonar, which then grants access. SonarQube and SonarCloud administrators configure the SAML integration with the IdP's metadata.
  • OAuth 2.0: Users authenticate through their GitHub, GitLab, Bitbucket, or Azure DevOps accounts. SonarCloud receives an authorization grant from the respective provider, allowing access without direct credential exchange. Users simply click the 'Login with [Provider]' button.

For administrative setup of external authentication, consult the SonarQube authentication documentation or the SonarCloud administration guides for integrating with specific providers.

Authenticated request example

When interacting with the SonarQube or SonarCloud APIs programmatically, Personal Access Tokens (PATs) are the recommended authentication method. PATs are passed in the HTTP Authorization header.

Consider an example using curl to retrieve information about a Sonar project:


curl -u "YOUR_PERSONAL_ACCESS_TOKEN:" "https://your-sonarqube-instance.com/api/projects/search?projects=my_project_key"

In this example:

  • -u "YOUR_PERSONAL_ACCESS_TOKEN:": This flag provides the authentication credentials. The format for basic authentication with a PAT is token: (note the colon after the token and no password). The PAT acts as the username.
  • https://your-sonarqube-instance.com: Replace this with the URL of your SonarQube instance or https://sonarcloud.io for SonarCloud.
  • /api/projects/search?projects=my_project_key: This is a sample API endpoint to search for projects. Replace my_project_key with the actual key of your project.

For more complex API interactions or when using client libraries, the PAT would typically be set as a header:


Authorization: Basic <base64_encoded_token>

Where <base64_encoded_token> is the Base64 encoding of YOUR_PERSONAL_ACCESS_TOKEN:. Many HTTP client libraries handle this Base64 encoding automatically when you pass the token in the -u format or similar authentication parameters.

For instance, using Python with the requests library:


import requests

SONAR_URL = "https://your-sonarqube-instance.com"
SONAR_TOKEN = "YOUR_PERSONAL_ACCESS_TOKEN"
PROJECT_KEY = "my_project_key"

headers = {
    "Authorization": f"Bearer {SONAR_TOKEN}" # For some API endpoints, Bearer might be supported
}

# Or, for Basic Auth (standard for Sonar API with PATs):
auth = (SONAR_TOKEN, "") 

response = requests.get(f"{SONAR_URL}/api/projects/search?projects={PROJECT_KEY}", auth=auth)

if response.status_code == 200:
    print(response.json())
else:
    print(f"Error: {response.status_code} - {response.text}")

This Python example demonstrates how to use the PAT for authentication. The auth=(SONAR_TOKEN, "") tuple tells requests to use Basic Authentication with the token as the username and an empty string as the password, which is the correct format for Sonar PATs.

Security best practices

Adhering to security best practices is essential when configuring and using authentication with SonarQube and SonarCloud.

  1. Use Personal Access Tokens (PATs) for Automation: Avoid using full user credentials (username/password) in scripts or CI/CD pipelines. Instead, generate specific PATs for automated tasks. This limits the blast radius if a credential is compromised, as PATs can be revoked independently of the user account.
  2. Set Expiration Dates for PATs: Whenever possible, configure PATs with an expiration date. This minimizes the window of vulnerability if a token is leaked. Regularly rotate PATs before they expire.
  3. Restrict PAT Permissions: Ensure PATs are granted only the minimum necessary permissions required for their intended task. For example, a token used to run an analysis might only need 'Execute Analysis' permission and not administrative access.
  4. Securely Store Credentials: Never hardcode PATs or other sensitive credentials directly into code repositories. Utilize secure secret management solutions such as environment variables, HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets. For CI/CD systems, use their built-in secret management features (e.g., GitHub Actions Secrets, GitLab CI/CD Variables).
  5. Enable and Configure External Authentication: For user authentication, integrate SonarQube with your organization's existing identity providers (LDAP, SAML, OAuth 2.0). This centralizes user management, enforces consistent password policies, and enables Single Sign-On (SSO), reducing password fatigue and improving security posture.
  6. Implement Strong Password Policies: If using built-in user management, enforce strong password policies within SonarQube, requiring complexity, minimum length, and regular rotation.
  7. Regularly Review User Permissions: Periodically audit user and group permissions in SonarQube/SonarCloud to ensure they align with current roles and responsibilities. Remove access for users who no longer require it.
  8. Monitor Access Logs: Regularly review SonarQube's access logs and SonarCloud's activity logs for suspicious login attempts or unauthorized access patterns.
  9. Keep SonarQube Updated: Always run the latest stable version of SonarQube to benefit from security patches and improvements. Older versions may have known vulnerabilities that could be exploited.
  10. Use HTTPS: Ensure all communication with SonarQube or SonarCloud is encrypted using HTTPS. This protects credentials and data in transit from eavesdropping. SonarSource provides documentation on configuring HTTPS for SonarQube.