In this post, I will walk you through some of the best practices that helps you to complete post deployment configuration of SonarQube.

Change Admin Password

First Thing First

Post-deployment login into SonarQube using following default credentials for SonarQube.

  • user: admin
  • password: admin

After login, go to the administration and select security - users

Change Admin Password

Change Password

New Admin Password

Force authentication

Force authentication

After enabling the force security option no one able to see the project’s analysis summary without login.

Configure Server base URL

Add user

Create Project

SonarQube provides 2 ways to create a project.

CreateProject

Provide Project Key (without space) and Display Name.

Create Project Setup

This key will require when you will configure the Sonarqube with Azure Pipelines.

Create Project Setup

Configure Tokens

Recommanded

If you want to enforce security by not providing credentials of a real SonarQube user to run your code scan or to invoke web services, you can provide a User Token as a replacement of the user login. This will increase the security of your installation by not letting your analysis user’s password going through your network.

These tokens are used to create Service endpoint with Azure DevOps.

Administrator - My Account - Security

Token

You can have 1 token across the projects or you can have individual tokens.

Token1

Token2

Create and Add Users

Create User

SonarQube allows creating local users

Add user

Add user

Add user

Add User to project

Add user to project

Add user to project with desired permissions by selecting the checkbox.

Add user to project

Let’s assign this user Execute Analysis Permission and see the difference.

Add user to project

Menu options are limited now.

Configure with AAD

Refer sonar-auth-aad document to configure AAD authentication for SonarQube.

Work with Azure DevOps Pipeline

Refer MS Documentation to configure SonarQube server with Azure DevOps pipeline.

Other Readings

Related Posts

About Ajeet Chouksey

A passionate certified technologist, blogger with 14+ years of industry experience in delivering continuous value to the client.