# SonarQube Integration

SonarQube is a self-hosted code quality and security platform that helps organisations detect vulnerabilities, bugs, and code issues across repositories.

By integrating SonarQube with Sprinto, you can continuously monitor vulnerabilities and ensure they are remediated within defined compliance timelines. Sprinto automatically tracks issues, maps them to controls, and flags overdue vulnerabilities.

***

### How it works

Sprinto connects to your SonarQube instance using a user API token and your SonarQube instance URL.

Once connected:

* Sprinto discovers projects from your SonarQube instance.
* Vulnerabilities (issues of type *VULNERABILITY*) are continuously synced.
* Branch-level data is used to track relevant code states.
* Sprinto evaluates remediation timelines against compliance requirements.
* Controls and checks are automatically updated based on vulnerability status.

Sprinto uses SonarQube APIs to:

* List projects.
* Fetch vulnerabilities.
* Retrieve project branches.
* Detect SonarQube version to determine authentication method.

***

### Prerequisites

Before setting up the integration, ensure the following:

* You have **administrator access** in Sprinto.
* You have **admin or sufficient permissions** in your SonarQube instance.
* Your SonarQube instance is accessible via a valid **instance URL**.
* You are using a **supported SonarQube version (8.x, 9.x, or 10.x)**.
* You can generate a **User Token** (Project tokens are not supported).
* The token owner has access to the projects you want to monitor.

***

### Permissions required

Sprinto requires both **global (instance-level)** and **project-level** permissions.

#### Global permissions (instance level)

One of the following is required:

* **Administer System** or **Administer** (recommended)\
  Allows Sprinto to automatically discover all projects.

**Alternative (if admin access is not available):**

* You must have **Browse permission on every project** you want to track.

***

#### Project-level permissions

For each project being monitored:

* **Browse**\
  Required to:
  * Fetch vulnerabilities.
  * Retrieve project branches.

***

#### Why these permissions are required

Sprinto uses the following SonarQube APIs:

* Project discovery (list projects).
* Vulnerability retrieval.
* Branch information retrieval.

Without sufficient permissions:

* Projects may not be visible.
* Vulnerabilities may not be fetched.
* Some checks may fail or remain incomplete.

***

### Authentication behaviour

Sprinto automatically adapts authentication based on your SonarQube version:

<table><thead><tr><th width="107.77734375">Version</th><th width="269.0234375">Authentication method</th></tr></thead><tbody><tr><td>10.x</td><td>Bearer token</td></tr><tr><td>9.x</td><td>Basic auth (token-based)</td></tr><tr><td>8.x</td><td>Basic auth</td></tr></tbody></table>

The integration detects your SonarQube version dynamically and applies the correct authentication method.

***

### Set up the integration

#### Step 1: Generate API token in SonarQube

1. Log in to your SonarQube instance.
2. Click your avatar in the top-right corner.
3. Go to **My Account**.
4. Open the **Security** tab.
5. Generate a new token:
   * **Token name:** Sprinto
   * **Token type:** User Token
   * **Expiration:** No expiration

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FIZe8AWuVVnGjnCGt600j%2Fsqube.png?alt=media&#x26;token=fe31861b-7e90-4294-9108-0b8af91f2331" alt="" width="563"><figcaption></figcaption></figure>

6. Click **Copy** to securely save the token.

{% hint style="info" %}

#### Note

* Tokens must be **User Tokens**.
* Tokens for SonarQube 9+ typically start with `squ_`.
  {% endhint %}

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FIEkhR9FYpPMBflrYdH0K%2Fsqube1.png?alt=media&#x26;token=a0884d7e-b6f2-4925-b93f-9896ac897853" alt="" width="563"><figcaption></figcaption></figure>

***

#### Step 2: Connect SonarQube in Sprinto

1. Log in to the Sprinto dashboard.
2. Navigate to **Settings → Integrations**.
3. Search for **SonarQube**.
4. Click **Connect**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FORtH6qbfadIG11X5SDcu%2FScreenshot%202026-03-31%20at%2015.18.42.png?alt=media&#x26;token=1953bda6-9557-437e-ae87-0bc8d159cd14" alt="" width="563"><figcaption></figcaption></figure>

5. In the connection drawer:
   * Review permissions and data usage.
   * Click **Next**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fg3BG9KcxinbFCYBXI73A%2FScreenshot%202026-03-31%20at%2015.19.41.png?alt=media&#x26;token=ce9d03fc-b79d-4617-837f-c578040e93fc" alt="" width="375"><figcaption></figcaption></figure>

6. Enter the following details:
   * **API Token:** Paste the generated token.
   * **SonarQube URL:** Enter your instance URL (e.g., `https://sonar.company.com`).
7. Click **Connect SonarQube**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FCHaslZWXQIjzXclCE2rg%2FScreenshot%202026-03-31%20at%2015.20.32.png?alt=media&#x26;token=58306132-ce74-4ca7-b3f5-1868a5eaf328" alt="" width="375"><figcaption></figcaption></figure>

Once connected, the integration status will show as **Connected**.

***

### Post-connection flow

After successfully connecting SonarQube, you must configure vulnerability monitoring for Sprinto to start evaluating compliance checks.

***

#### Add SonarQube as a monitoring source

1. Navigate to **Data Library → Vulnerabilities**.
2. Click **Add monitoring source**.
3. Select **SonarQube** from the list of available sources.

***

#### Select projects to monitor

1. Sprinto will display all accessible SonarQube projects.
2. Choose how you want to monitor projects:
   * **All projects** (default selection), or
   * **Specific projects** based on your requirements.
3. Confirm your selection.

Note: Only projects accessible to the API token will be available for selection.

***

#### Enable monitoring

1. Click **Add SonarQube** to complete the setup.
2. Sprinto will begin syncing vulnerability data.

***

#### Sync and evaluation timelines

* **Initial sync:**\
  Sprinto fetches all existing vulnerabilities across selected projects. This may take a few minutes depending on project size.
* **Subsequent syncs:**\
  Vulnerability data is periodically refreshed to capture new issues and status updates.
* **Evaluation:**\
  Sprinto evaluates:
  * Open vulnerabilities.
  * Severity levels.
  * Time taken to resolve issues.

These evaluations are mapped to relevant controls and checks.

***

#### Where to view data

Once monitoring is enabled:

* Go to **Data Library → Vulnerabilities** to view imported issues.
* Navigate to **Monitoring** to track compliance checks and failures.
* Evidence is automatically attached to relevant controls.

***

#### Important considerations

* If no projects appear, verify that the API token has the required permissions.
* If vulnerabilities are not visible, ensure SonarQube analysis has been completed for the selected projects.
* Changes in project access or permissions may impact ongoing monitoring.

***

### What data is synced

Sprinto retrieves:

* Vulnerability details (issues)
* Severity
* File/component information
* Rule identifiers
* Project identifiers
* Branch information

This data is used to:

* Track remediation timelines.
* Power compliance checks.
* Generate audit-ready evidence.

***

### Version compatibility

<table><thead><tr><th width="181.546875">SonarQube version</th><th width="252.50390625">Support status</th></tr></thead><tbody><tr><td>10.x</td><td>Fully supported</td></tr><tr><td>9.x</td><td>Fully supported</td></tr><tr><td>8.x</td><td>Supported</td></tr><tr><td>7.x and earlier</td><td>Not officially supported</td></tr></tbody></table>

***

### Troubleshooting

#### Invalid token or authentication errors

* Ensure you are using a **User Token**, not a project token.
* Regenerate the token if it has expired or is invalid.
* Verify token format (especially for SonarQube 9+).

***

#### Unable to fetch projects

* Ensure you have **Administer** permission at the instance level.
* Alternatively, ensure **Browse access** is available for all required projects.

***

#### Vulnerabilities not syncing

* Ensure projects have completed analysis in SonarQube.
* Verify the token has access to those projects.
* Allow time for the initial sync.

***

#### Some projects missing

* The token may not have access to those projects.
* Ensure **Browse permission** is enabled for those projects.

***

#### Integration fails intermittently

* Check network connectivity to your SonarQube instance.
* Verify the instance is publicly accessible (if required).
* Ensure no firewall or proxy is blocking requests.

***

### Disconnect SonarQube

1. Go to **Settings → Integrations → SonarQube**.
2. Click **Disconnect**.

This stops all data syncing and monitoring.

***

### Need help?

If you face issues setting up or using the integration, contact [Sprinto support](mailto:support@sprinto.com).