Skip to content

SonarQube Executor

Category: Source Code Analysis Script: sonarqube.py Integration: REST API Faraday Plugin: SonarQubeAPIPlugin Website: https://www.sonarsource.com/products/sonarqube/

Description

Connects to a SonarQube instance via its REST API to fetch all security-related issues for a project. Optionally retrieves security hotspots. Results are parsed through the Faraday SonarQube API plugin.

Prerequisites

  • SonarQube server running and accessible
  • Authentication token (generated in SonarQube > Account > Security > Generate Tokens)
  • At least one analyzed project in SonarQube

Configuration

Environment Variables (Setup)

Variable Required Description
SONAR_URL Yes SonarQube server URL (e.g., http://sonarqube.local:9000)

Execution Arguments

Parameter Type Mandatory Description
TOKEN password Yes SonarQube authentication token
COMPONENT_KEY string No Project/component key to filter results (e.g., my-project)
GET_HOTSPOT boolean No If true, also fetches security hotspots (default: false)

YAML Configuration Example

executors:
  sonarqube_scan:
    repo_executor: sonarqube.py
    max_size: 65536
    varenvs:
      SONAR_URL: "http://sonarqube.local:9000"
    params:
      TOKEN:
        mandatory: true
        type: password
        base: string
      COMPONENT_KEY:
        mandatory: false
        type: string
        base: string
      GET_HOTSPOT:
        mandatory: false
        type: boolean
        base: boolean

How It Works

  1. Connects to the SonarQube API at the configured URL
  2. Fetches security issues from /api/issues/search (paginated, filtered by SECURITY impact)
  3. If GET_HOTSPOT is enabled, also fetches security hotspots from /api/hotspots/search and enriches each with details from /api/hotspots/show
  4. Parses all results through SonarQubeAPIPlugin and outputs Faraday JSON

Setting Up SonarQube

  1. Start SonarQube (e.g., docker run -p 9000:9000 sonarqube:latest)
  2. Log in with default credentials (admin/admin) and change the password
  3. Create a project and note the project key
  4. Generate an authentication token under Account > Security > Generate Tokens
  5. Run your first analysis using sonar-scanner: 
    docker run --rm \
  -v "$(pwd):/usr/src" \
  sonarsource/sonar-scanner-cli \
  -Dsonar.projectKey=my-project \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://host.docker.internal:9000 \
  -Dsonar.token=<your-token>

Notes

  • The executor imports results from existing SonarQube analyses — it does not trigger new scans
  • Security hotspots require an additional API call per hotspot for full details, which can be slow for large projects
  • The COMPONENT_KEY parameter filters to a specific project; without it, all accessible projects' issues are returned