Skip to content

How to Integrate BoostSecurity to SonarQube


BoostSecurity enables the ingestion of security results from an existing SonarQube account. Once the connection is established, SonarQube findings are periodically ingested and processed through BoostSecurity workflow and policies.


Prerequisites


As a SonarQube organization admin user, generate a user access token to configure the SonarQube Connector. You can create a token from User > My Account > Security in SonarQube or refer to the SonarQube documentation.

Note

The integration will only be completed successfully for organizations for which you have admin privileges. Organizations for which you don't have the admin privileges will be ignored.


Integration Steps


The connection with SonarQube can be set up simply through the SonarQube integration card:

  1. Navigate to the Integrations page.
  2. Scroll to the Available section and select SonarQube Connector.

    SonarQube Integration Card

  3. Click on the Install button.

  4. Fill in the following:
    • Integration Name: A custom name uniquely identifying the integration.
    • Access Token: Input the SonarQube token.
  5. Click on Install
  6. Ready!

Verifying the integration


In SonarQube:

  1. Go to the organizations list.
  2. Select one of the organizations for which you have the admin privilege and open the Administration > Webhooks.
  3. Acknowledge that there is a Webhook whose name starts with boostsecurityio and whose URL begins with https://api.boostsecurity.io/.

Validate SonarQuebe integration


Provisioning the scanner


After the integration is completed, the SonarQube scanner will be available on the Boost assets mapped to a corresponding SonarQube project. When using the SonarQube automatic project provisioning, the SonarQube projects should be mapped to an existing code repository in Boost that matches the organization and repository name.

Selecting one of such code repositories in the scan coverage, one can proceed with the provisioning. Once the scanner provisioning modal is open, go to the advance provisioning tab. Under the SAST section, you should see the SonarQube scanner. Select it and press the complete button.

SonarQube scanner provisioning

Once the scanner is provisioned, any time a SonarQube scan is triggered in your SonarQube instance, a new scan will appear in Boost, and the findings will be assessed against the policy assigned to the code repository.

Note

If the SonarQube scanner doesn't appear in the list of available scanners, it means that the current code repository is not mapped to a SonarQube project. If you are unsure which SonarQube project is mapped to which Boost code repository, copy the SonarQube project name and search for it in Boost scan coverage.