![nopsec-full-logo-white.png]](https://support.nopsec.com/hs-fs/hubfs/Images/Logos/NopSec%20Logos/nopsec-full-logo-white.png?height=40&name=nopsec-full-logo-white.png){kind=logo}
How do I Integrate SonarQube
This guide will walk you through the steps to integrate SonarQube findings into the Nopsec Platform
Creating a Read-Only API Token in SonarQube
In SonarQube, API authentication is handled via User Tokens. A token inherently possesses the exact same permissions as the user account that generated it. Therefore, to create a read-only API token, you must first create a user account with strictly limited permissions, and then generate the token from within that account.
Step 1: Provision a Read-Only User and Group
- Log in to SonarQube using a System Administrator account.
- In the top navigation bar, click Administration, then select Security > Groups.
- Click Create Group in the top right corner. Name it something descriptive, like API_ReadOnly_Group, and save it.
- Navigate to Administration > Security > Global Permissions. Ensure this new group has no global permissions checked (they do not need global administration to read project data).
- Navigate to Administration > Security > Permission Templates (or directly to specific projects via Projects > Project Settings > Permissions). Grant your API_ReadOnly_Group the Browse permission.
Note: If the API also needs to retrieve the actual lines of code associated with a vulnerability finding, you must also grant the See Source Code permission. Ensure actions like "Administer Issues" or "Execute Analysis" remain unchecked. - Navigate to Administration > Security > Users.
- Click Create User. Fill out the login details (e.g., api_readonly_user) and assign this user exclusively to the API_ReadOnly_Group you just created.
Step 2: Generate the API Token
- Log out of your administrator account and log back in using the new api_readonly_user credentials.
- In the top-right corner of the interface, click on the user avatar and select My Account from the drop-down menu.
- Select the Security tab.
- In the Generate Tokens section, enter a descriptive name for your token in the Name field (e.g., Read-Only Findings Export).
- Select User Token from the token type drop-down menu. (Do not select Project Analysis or Global Analysis tokens, as those are specifically designed for CI/CD pipeline scanners rather than standard API querying).
- Click the Generate button.
- The system will display your new API token string.
Important: Immediately copy the token and store it in a secure password manager or secrets vault. SonarQube will not display this token again once you refresh or leave the page.
Step 4: Enable the integration in the Nopsec Platform
- Navigate to Integrations in the NopSec UI and select the option to add the SonarQube
- Enter Integration Access Info: When prompted enter the following information and click the "Save and Connect" button:
- Connection Name: Unique name for this integration
- Is On Prem: Check this box if using Nopsec’s virtual appliance
- URL: The url used to access your organization’s platform
- Username: The username created in previous steps
- Password: The password created in previous steps
- Disable SSL Verification: Check this box if SSL verification is not required within your organization.
- SAVE and CONNECT