Additional security enforcements

Delivering Secure Code isn’t enough; You also need to deliver code securely

Delivering perfect code doesn’t mean much if it comes from a compromised pipeline. Securing your DevOps infrastructure is nearly as important as the code itself.

SonarQube 8.9 LTS is more secure

Securing your instance

We don’t care only about the security of your code, we also care about the security of your SonarQube environment. From SonarQube 8.9 LTS, operating SonarQube is more secure than ever, with simple but effective new safeguards such as:

Forcing administrators

to change the default SonarQube admin credentials – to make adherence to best practices routine.

Authenticated access

as the default – to help you keep private code private.

Limited plugin access

to core functionality and restricted library loading – to prevent 3rd-party plugins from tampering with your installation.

Additional controls

in the plugin Marketplace (as a gentle reminder that you use community plugins at your own risk) - to stay mindful about the risks you accept.

We’ve implemented these controls because SonarQube has access to all
your source code and we take the responsibility to protect it seriously.

Delivering a secure SonarQube

SonarQube is now hardened to meet the U.S. Department of Defense’s security requirements for inclusion in its Iron Bank software repository. And a routine part of delivering every LTS is penetration testing.
Here’s what our pen tester, Cure53, had to say about SonarQube 8.9 LTS:
Delivering a secure SonarQube

In Cure53’s expert opinion, this project confirmed a very solid security premise at SonarSource… [SonarQube] is currently well protected against a broad number of web application attack vectors.

One can argue that the outcome highlights the development team’s commitment to maintaining security features with due diligence and adherence to best practices. Despite extensive deep-dives and exemplary coverage toward a plethora of application features by the Cure53 testers, no serious issues were detected.

In addition to hardening SonarQube itself, we’ve also hardened our own build pipeline so you can be sure we’re delivering SonarQube to you securely.