Connect with SonarQube
Security Insights is in beta. To request access, contact Harness Support.
SonarQube is an open-source platform for continuous inspection of code quality. It performs automatic static analysis to detect bugs, code quality issues, and security vulnerabilities.
On initial setup, Harness SEI backfills up to 6 months of historical code quality findings. Once connected, the Open vulnerabilities by severity metric updates on the Security Insights dashboard in the Security tab of the Insights page.
Once connected, code quality findings from SonarQube contribute to organization-wide and team-level Security Insights metrics, including total open vulnerabilities.
Prerequisites
Ensure that you have the SEI Admin role and an SonarQube API token.
Create a SonarQube API token
To configure the SonarQube integration, you must create an API token in SonarQube. The token must be either a User Token or a Global Analysis Token, and have sufficient permissions to access organization and project-level analysis data. For SonarQube Cloud, the token is associated with a user and scoped by that user's organization access.
SonarQube tokens can also be scoped at the organization level. For more information about creating scoped organization tokens, see the official SonarQube documentation.
If your SonarQube instance uses an allowlist, ensure that required Harness IP addresses are permitted. For more information, see Harness Platform IPs.
Add the integration
To add the integration:
-
From the SEI navigation menu, click Account Management.
-
On the Integrations page, select the Available Integrations tab.
-
Locate the ArmorCode integration and click Add Integration.
-
In the Overview section, provide a name for the integration (for example,
SonarQube Production) and optionally, add tags. -
Click Continue.
-
Add your SonarQube instance URL (for example,
https://sonarcloud.io) in theSonarQube URLfield. -
Enter your SonarQube API token in the
API Tokenfield. The token must be a User Token or Global Analysis Token. -
Click Continue.
-
Optionally, limit ingestion to a specific organization or set of projects by entering a name in the
Organizationfield and a project key in theProject Keysfield.- Project keys are case-sensitive.
- Leave the
Project Keysfield empty to ingest all projects.
-
Click Continue to validate the connection.
-
Once validation succeeds, click Finish.
Integration monitoring
To monitor ingestion and aggregation activity, navigate to the Monitoring tab for the SonarQube integration. This tab displays ingestion logs, which show the status and execution details of each data sync.
You can click the Filters button to filter these logs by Status (for example: Success, Failed, Pending, or Scheduled). These statuses reflect the state of ingestion or aggregation jobs.
Ingestion Logs
The following information is available for each ingestion and aggregation run.
| Column | Description |
|---|---|
| Scan Range Time | The time range for which data was fetched during ingestion. |
| Data Retrieval Process | The ingestion or aggregation method used to fetch and process data. If multiple aggregations occur, this reflects the most recent aggregation status. |
| Task Start Time | The timestamp when the ingestion or aggregation job started. |
| Status | The execution status of the job (for example, Success or Failed). |
| Time to Complete | Total time taken for the job to finish execution. |
| Retries | Number of times the job was retried before completion. |
Use ingestion logs to troubleshoot missing data, validate successful syncs, or identify delays in Security Insights reporting.
Next steps
After configuring the SonarQube integration, you can:
- Select the SonarQube integration from the
Code Quality Toolssection on the Integrations tab in Team Settings - View organization-wide security metrics in the Security Insights dashboard
- Drill down into team-level vulnerabilities by selecting a team in the Org Tree