How to secure SonarQube 5.4?

Question

I'd like to configure SonarQube so that developers can generate an HTML report locally (in 'issues' mode), but not be able to publish reports on the SonarQube server (in 'publish' mode).

Instead, I'd like the CI server to be the only system with access to publish results (using a 'technical' user).

The Release notes for SonarQube 5.4 indicate that the "Execute Preview Analysis" permission has been removed.

There is an "Execute Analysis" permission, but from what I've understood, this is required for both 'issues' mode and 'publish' mode.

Right now, the Execute Analysis permission has been granted to 'Anyone'. This allows the Maven plugin to perform an analysis (issues or publish mode). However, sonar-runner (and sonar-scanner) both seem to need a login token configured before they can run even a preview analysis. This inconsistency seems confusing.

How can SonarQube 5.4 be secured so that only the build server can update the results shown on the dashboard?

Answer 1

This is pretty simple:

• Make sure that the "Execute Analysis" global permission is granted only to a "technical" user and configure your CI server to pass credentials of this user to the Maven command
  • => This will allow the CI to push analysis reports to the SonarQube server, but prevent any other user to do so.
• Make sure that every other user has the "Browse" permission on the projects
  • => This will allow any user to run an "issues" analysis and therefore generate an HTML report