# SonarCloud Integration

The SonarCloud integration enables Sprinto to automatically import vulnerability data from your code repositories. This helps you monitor security issues, track remediation, and maintain compliance with security frameworks.

Once connected, Sprinto continuously fetches vulnerability data and maps it to relevant controls and checks, eliminating the need for manual evidence collection.

### How It Works

Sprinto connects to SonarCloud using API-based authentication. After the integration is established:

* Sprinto retrieves a list of projects within your SonarCloud organisation.
* Vulnerabilities are fetched and filtered based on issue type.
* Branch-level data is used to evaluate relevant code states.
* The data is mapped to controls and checks within Sprinto.

The integration runs periodically to ensure that vulnerability data remains up to date.

#### Sprinto checks for Halo Security <a href="#sprinto-checks-for-halo-security" id="sprinto-checks-for-halo-security"></a>

Following are the Sprinto checks available for SonarCloud:

<table><thead><tr><th width="214.6328125">Sprinto check</th><th>Required action</th></tr></thead><tbody><tr><td><strong>SonarCloud vulnerability alert should be resolved within SLA</strong></td><td>A vulnerability currently exists in the 'Open' status on your integrated Halo Security account. Please address the vulnerability from its source and close it on your Halo Security account.</td></tr></tbody></table>

### Features

* Automated vulnerability tracking from SonarCloud.
* Continuous monitoring of code security issues.
* Automatic evidence collection for compliance controls.
* Centralised visibility into vulnerabilities across projects.
* Reduced manual effort during audits.

***

### Use Cases

<table><thead><tr><th width="207.328125">Use Case</th><th width="509.91015625">Description</th></tr></thead><tbody><tr><td>Continuous Compliance</td><td>Automatically track vulnerabilities as part of compliance checks.</td></tr><tr><td>Audit Readiness</td><td>Provide auditors with up-to-date vulnerability evidence.</td></tr><tr><td>Security Monitoring</td><td>Identify and monitor risks across code repositories.</td></tr><tr><td>Reduced Manual Effort</td><td>Eliminate manual uploads of vulnerability reports.</td></tr></tbody></table>

***

### Prerequisites

Before setting up the SonarCloud integration, ensure the following requirements are met.

#### Access Requirements

* You must have **admin access** to your SonarCloud account.
* The account used to generate the API token must have **Administer Organization** permission.
* Ensure the account has **Browse Project** access to all projects you want to monitor.

#### Credentials Required

* A valid **SonarCloud API token**.
* The **Organisation Key** for your SonarCloud account.

#### Project Readiness

* Ensure that your SonarCloud organisation contains active projects.
* Projects should have completed scans with available vulnerability data.
* The main branch (or relevant branches) should be configured and accessible.

#### Network and Access Considerations

* Ensure there are no network restrictions blocking communication with SonarCloud APIs.
* API access should not be restricted by IP allowlists or firewall rules.

#### Recommended Setup

* Use a **dedicated service account** for generating API tokens.
* Ensure the token remains active and is not rotated without updating it in Sprinto.

***

### Permissions Required

Sprinto uses SonarCloud APIs to discover projects, fetch vulnerabilities, and monitor code branches. The integration requires both organisation-level and project-level permissions.

#### APIs Used by Sprinto

<table><thead><tr><th width="282.2734375">API Endpoint</th><th>Purpose</th></tr></thead><tbody><tr><td><code>GET /api/projects/search</code></td><td>Lists all projects in the organisation.</td></tr><tr><td><code>GET /api/issues/search</code></td><td>Fetches vulnerabilities (issues of type <code>VULNERABILITY</code>).</td></tr><tr><td><code>GET /api/project_branches/list</code></td><td>Retrieves project branches.</td></tr></tbody></table>

***

#### Required Permissions by API

<table><thead><tr><th width="250.578125">API Endpoint</th><th width="206.04296875">Permission Required</th><th width="198.20703125">Scope</th></tr></thead><tbody><tr><td><code>/api/projects/search</code></td><td>Administer Organization</td><td>Organisation-level</td></tr><tr><td><code>/api/issues/search</code></td><td>Browse</td><td>Project-level</td></tr><tr><td><code>/api/project_branches/list</code></td><td>Browse Project</td><td>Project-level</td></tr></tbody></table>

***

#### Minimum Required Role

The minimum organisation-level role required is:

* **Administer Organization**.

This is required because Sprinto must:

* Discover and list all projects in your organisation.
* Enable project selection for vulnerability tracking.

Without this permission, Sprinto cannot initialise the integration.

***

#### Additional Requirements

* Ensure **Browse Project** access for all projects to be monitored.
* API tokens inherit the permissions of the user who generates them.
* Use a dedicated service account where possible.

***

#### Plan Considerations

* **Free plans:** Access is limited to projects owned by the token user.
* **Team / Enterprise plans:** Project access can be managed using permission templates.

***

### Get SonarCloud Credentials

Before connecting the integration, generate the required credentials from SonarCloud.

#### Generate API Token

1. Log in to your SonarCloud account.
2. Click your **profile icon** in the top-right corner.
3. Select **My Account**.
4. Navigate to the **Security** tab.
5. Enter a name for the token.
6. Click **Generate Token**.
7. Copy the API token and store it securely.

***

#### Get Organisation Key

1. Navigate to the **Organisations** tab in SonarCloud.
2. Locate your organisation.
3. Copy the **organisation key** displayed next to the organisation name.

***

### Setup SonarCloud Integration

#### Step 1: Navigate to Integrations

1. Log in to the Sprinto dashboard.
2. Go to **Settings → Integrations**.
3. Search for **SonarCloud**.
4. Click **Connect**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fsc8u7nYDeLq7UwSgx8GO%2FScreenshot%202026-03-31%20at%2014.21.54.png?alt=media&#x26;token=6053d1b3-4509-4f26-bcdc-9aad8904490b" alt="" width="563"><figcaption></figcaption></figure>

***

#### Step 2: Review Permissions

1. In the connection drawer, review:
   * Permissions required.
   * Data accessed by Sprinto.
2. Click **Next**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2F3XVBe8W1tRa9edc5XHg2%2FScreenshot%202026-03-31%20at%2014.22.34.png?alt=media&#x26;token=70338f16-baf5-446f-a929-86d43772f587" alt="" width="375"><figcaption></figcaption></figure>

***

#### Step 3: Enter Connection Details

1. Select **Connection type: API Key**.
2. Enter:
   * **API Token**.
   * **Organisation Key**.
3. Refer to the inline instructions in the drawer to generate these credentials.
4. Click **Connect**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FS8L7sZQ6gLK6GRcHunzO%2FScreenshot%202026-03-31%20at%2014.23.16.png?alt=media&#x26;token=d5a0c541-a76a-4c03-a936-cbaaca3e7862" alt="" width="375"><figcaption></figcaption></figure>

***

### Post-Connection Behaviour

After connecting:

* SonarCloud appears as **Connected** in the Integrations page.
* Sprinto begins importing vulnerability data.
* Controls and checks are automatically populated.
* Vulnerability data is continuously refreshed.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FoebI81U5x2iFj3x0lTpy%2Fimage%20(11).png?alt=media&#x26;token=473bfa2b-3586-46d4-86d3-dd026d844a6e" alt="" width="563"><figcaption></figcaption></figure>

***

### Enable Vulnerability Monitoring

To start tracking vulnerabilities:

1. Go to **Data Library → Vulnerabilities → Overview**.
2. Click **+ Add monitoring source**.
3. Select **SonarCloud**.
4. Click **Add SonarCloud**.

* By default, all projects are selected.
* Use **Manage** to customise project selection.

***

### Sync and Evaluation

* Initial sync takes approximately **15–20 minutes**.
* Full evaluation may take a few hours.
* Sprinto continues to sync data periodically.

***

### Manage the Integration

#### Update Connection

* Navigate to **Settings → Integrations → SonarCloud**.
* Update credentials if required.

#### Disconnect Integration

* Click **Disconnect** to remove the integration.
* Automated evidence collection will stop.

***

### Troubleshooting

#### Unable to connect to SonarCloud

* Ensure the API token is valid and has not expired.
* Verify that the token belongs to a user with **Administer Organization** permission.
* Confirm that the organisation key is correct.

***

#### Projects are not visible in Sprinto

* Check if the user has **Administer Organization** permission.
* Ensure the organisation contains active projects.
* Verify that the API token is generated from the correct organisation.

***

#### Vulnerabilities are not syncing

* Ensure the user has **Browse Project** access to the relevant projects.
* Confirm that vulnerabilities exist in SonarCloud for the selected projects.
* Allow time for the next sync cycle to complete.

***

#### Integration connected but no data appears

* Check if projects are correctly configured within SonarCloud.
* Verify branch availability, especially the main branch.
* Ensure there are no permission restrictions at the project level.

***

#### Invalid API token or authentication errors

* Regenerate the API token from SonarCloud.
* Avoid using expired or revoked tokens.
* Ensure there are no extra spaces while pasting the token.

***

### Support

If you face any issues while setting up or using the SonarCloud integration, contact the [Sprinto support](mailto:support@sprinto.com) team for assistance.