Ctrlk
Sprinto DashboardAPI Reference

SonarQube Integration

Connect SonarQube with Sprinto to automatically track code vulnerabilities, monitor remediation timelines, and stay compliant with security standards.

SonarQube is a self-hosted code quality and security platform that helps organisations detect vulnerabilities, bugs, and code issues across repositories.

By integrating SonarQube with Sprinto, you can continuously monitor vulnerabilities and ensure they are remediated within defined compliance timelines. Sprinto automatically tracks issues, maps them to controls, and flags overdue vulnerabilities.

How it works

Sprinto connects to your SonarQube instance using a user API token and your SonarQube instance URL.

Once connected:

  • Sprinto discovers projects from your SonarQube instance.

  • Vulnerabilities (issues of type VULNERABILITY) are continuously synced.

  • Branch-level data is used to track relevant code states.

  • Sprinto evaluates remediation timelines against compliance requirements.

  • Controls and checks are automatically updated based on vulnerability status.

Sprinto uses SonarQube APIs to:

  • List projects.

  • Fetch vulnerabilities.

  • Retrieve project branches.

  • Detect SonarQube version to determine authentication method.

Prerequisites

Before setting up the integration, ensure the following:

  • You have administrator access in Sprinto.

  • You have admin or sufficient permissions in your SonarQube instance.

  • Your SonarQube instance is accessible via a valid instance URL.

  • You are using a supported SonarQube version (8.x, 9.x, or 10.x).

  • You can generate a User Token (Project tokens are not supported).

  • The token owner has access to the projects you want to monitor.

Permissions required

Sprinto requires both global (instance-level) and project-level permissions.

Global permissions (instance level)

One of the following is required:

  • Administer System or Administer (recommended) Allows Sprinto to automatically discover all projects.

Alternative (if admin access is not available):

  • You must have Browse permission on every project you want to track.

Project-level permissions

For each project being monitored:

  • Browse Required to:

    • Fetch vulnerabilities.

    • Retrieve project branches.

Why these permissions are required

Sprinto uses the following SonarQube APIs:

  • Project discovery (list projects).

  • Vulnerability retrieval.

  • Branch information retrieval.

Without sufficient permissions:

  • Projects may not be visible.

  • Vulnerabilities may not be fetched.

  • Some checks may fail or remain incomplete.

Authentication behaviour

Sprinto automatically adapts authentication based on your SonarQube version:

Version
Authentication method

10.x

Bearer token

9.x

Basic auth (token-based)

8.x

Basic auth

The integration detects your SonarQube version dynamically and applies the correct authentication method.

Set up the integration

Step 1: Generate API token in SonarQube

  1. Log in to your SonarQube instance.

  2. Click your avatar in the top-right corner.

  3. Go to My Account.

  4. Open the Security tab.

  5. Generate a new token:

    • Token name: Sprinto

    • Token type: User Token

    • Expiration: No expiration

  1. Click Copy to securely save the token.

Note

  • Tokens must be User Tokens.

  • Tokens for SonarQube 9+ typically start with squ_.

Step 2: Connect SonarQube in Sprinto

  1. Log in to the Sprinto dashboard.

  2. Navigate to Settings → Integrations.

  3. Search for SonarQube.

  4. Click Connect.

  1. In the connection drawer:

    • Review permissions and data usage.

    • Click Next.

  1. Enter the following details:

    • API Token: Paste the generated token.

    • SonarQube URL: Enter your instance URL (e.g., https://sonar.company.com).

  2. Click Connect SonarQube.

Once connected, the integration status will show as Connected.

Post-connection flow

After successfully connecting SonarQube, you must configure vulnerability monitoring for Sprinto to start evaluating compliance checks.

Add SonarQube as a monitoring source

  1. Navigate to Data Library → Vulnerabilities.

  2. Click Add monitoring source.

  3. Select SonarQube from the list of available sources.

Select projects to monitor

  1. Sprinto will display all accessible SonarQube projects.

  2. Choose how you want to monitor projects:

    • All projects (default selection), or

    • Specific projects based on your requirements.

  3. Confirm your selection.

Note: Only projects accessible to the API token will be available for selection.

Enable monitoring

  1. Click Add SonarQube to complete the setup.

  2. Sprinto will begin syncing vulnerability data.

Sync and evaluation timelines

  • Initial sync: Sprinto fetches all existing vulnerabilities across selected projects. This may take a few minutes depending on project size.

  • Subsequent syncs: Vulnerability data is periodically refreshed to capture new issues and status updates.

  • Evaluation: Sprinto evaluates:

    • Open vulnerabilities.

    • Severity levels.

    • Time taken to resolve issues.

These evaluations are mapped to relevant controls and checks.

Where to view data

Once monitoring is enabled:

  • Go to Data Library → Vulnerabilities to view imported issues.

  • Navigate to Monitoring to track compliance checks and failures.

  • Evidence is automatically attached to relevant controls.

Important considerations

  • If no projects appear, verify that the API token has the required permissions.

  • If vulnerabilities are not visible, ensure SonarQube analysis has been completed for the selected projects.

  • Changes in project access or permissions may impact ongoing monitoring.

What data is synced

Sprinto retrieves:

  • Vulnerability details (issues)

  • Severity

  • File/component information

  • Rule identifiers

  • Project identifiers

  • Branch information

This data is used to:

  • Track remediation timelines.

  • Power compliance checks.

  • Generate audit-ready evidence.

Version compatibility

SonarQube version
Support status

10.x

Fully supported

9.x

Fully supported

8.x

Supported

7.x and earlier

Not officially supported

Troubleshooting

Invalid token or authentication errors

  • Ensure you are using a User Token, not a project token.

  • Regenerate the token if it has expired or is invalid.

  • Verify token format (especially for SonarQube 9+).

Unable to fetch projects

  • Ensure you have Administer permission at the instance level.

  • Alternatively, ensure Browse access is available for all required projects.

Vulnerabilities not syncing

  • Ensure projects have completed analysis in SonarQube.

  • Verify the token has access to those projects.

  • Allow time for the initial sync.

Some projects missing

  • The token may not have access to those projects.

  • Ensure Browse permission is enabled for those projects.

Integration fails intermittently

  • Check network connectivity to your SonarQube instance.

  • Verify the instance is publicly accessible (if required).

  • Ensure no firewall or proxy is blocking requests.

Disconnect SonarQube

  1. Go to Settings → Integrations → SonarQube.

  2. Click Disconnect.

This stops all data syncing and monitoring.

Need help?

If you face issues setting up or using the integration, contact Sprinto support.

PreviousSonarCloud IntegrationNextSophos Integration

Last updated