Skip to main content


SonarQube scans code projects for potential vulnerabilities, code smells, bugs, and other issues, and provides recommendations for fixing those issues. You can bring code project and static code findings from SonarQube into Brinqa to better understand the security risks associated with your codebase and prioritize remediation efforts to strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with SonarQube and how to obtain that information from SonarQube. See create a data integration for step-by-step instructions on setting up the integration.

The SonarQube connector supports the Community, Developer, Enterprise, and Data Center editions of SonarQube.

Required connection settings

When setting up a data integration, select SonarQube from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate SonarQube with Brinqa:

  • Server URL: The SonarQube Server URL.

  • User token: The access token associated with the SonarQube user, which must have permissions to log in to the API server and return data.

Generate a SonarQube user token

For the SonarQube connector to use the SonarQube API, you must provide the user token from SonarQube. The user token inherits the permissions of the user who creates the token and can be used to perform any SonarQube Web API action.

To create a user token, follow these steps:

  1. Log in to your organization's SonarQube server.

  2. Click the account profile icon on the upper-right corner of the page and then click My Account.

  3. Click the Security tab.

  4. Enter a name for the token and click Generate.

    Your new user token displays. You cannot view the token again. Copy the token and save it in a secure location.


For additional information on managing user tokens and permissions for your SonarQube account, see SonarQube documentation.

Additional settings

The SonarQube connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 500. It is not recommended to go over 500.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 4.

  • Skip certificate verification: Select this option to allow for untrusted certificates.

Types of data to retrieve

The SonarQube connector can retrieve the following types of data from the SonarQube API:

Table 1: Data retrieved from SonarQube

Connector ObjectRequiredMaps to Data Model
Code ProjectYesCode Project
Static Code FindingYesStatic Code Finding
Static Code Finding DefinitionYesStatic Code Finding Definition

For detailed steps on how to view the data retrieved from SonarQube in the Brinqa Platform, see How to view your data.

Operation options

The SonarQube connector supports the following operation options. See connector operation options for information about how to apply them.

Table 2: SonarQube connector operation options

Connector ObjectOptionAll Possible valuesDescriptionExample
Static Code FindingresolutionsFALSE-POSITIVE, FIXED, REMOVED, WONTFIXA comma-separated list of resolutions. Retrieve static code findings with the specified resolution.Key: resolutions Value: FIXED. This key and value combination only retrieves fixed issues.
resolvedfalse, no, true, yesRetrieve static code findings with the specified status.Key: resolved Value: true. This key and value combination only retrieves resolved issues.
severitiesBLOCKER, CRITICAL, INFO, MAJOR, MINORA comma-separated list of severity levels. Retrieve static code findings with the specified severity level.Key: severities Value: CRITICAL. This key and value combination only retrieves critical issues.
sonarsourceSecurityauth, buffer-overflow, command-injection, csrf, dos,file-manipulation, http-response-splitting, insecure-conf, ldap-injection, log-injection, object-injection, open-redirect, others, path-traversal-injection, rce, sql-injection, ssrf, weak-cryptography, xpath-injection, xss, xxeA comma-separated list of SonarSource security categories. Retrieve static code findings with the specified category.Key: sonarsourceSecurity Value: file-manipulation. This key and value combination only retrieves issues that fall under the file-manipulation SonarSource security category.
statusesCLOSED, CONFIRMED, IN_REVIEW, OPEN, REOPENED, RESOLVED, REVIEWED, TO_REVIEWA comma-separated list of issue statuses. Retrieve static code findings by the specified statuses.Key: statuses Value: OPEN,REOPENED. This key and value combination only retrieves OPEN and REOPENED issues.
tagsAny static code finding tags.A comma-separated list of tags. Retrieve static code findings with the specified tags.Key: tags Value: convention. This key and value combination only retrieves issues with the convention tag.
typesBUG,CODE_SMELL,VULNERABILITYA comma-separated list of issue types. Retrieve static code findings by the specified type.Key: types Value: CODE_SMELL,BUG. This key and value combination only retrieves CODE_SMELL and BUG issues.

The option keys and values are case-sensitive as they are shown in this documentation.


The SonarQube connector uses the SonarQube Web API. Specifically, it uses the following endpoints:

Table 3: SonarQube Web API Endpoints

Connector ObjectAPI Endpoint
Code ProjectGET /api/projects/search
GET /api/measures/component
GET /api/project_analyses/search
Static Code FindingGET /api/issues/search
GET /api/sources/show
Static Code Finding DefinitionGET /api/rules/search


The SonarQube connector has undergone the following changes:


  • Improved its handling of the vendor API's limitation, which restricts the maximum return of 10,000 records.


  • Replaced ImmutableSet with HashSet.