Home / Secure Access / SonarQube
Code Security & Quality
X-Forwarded-Login
Zero-Day Shield

SSO + Zero-Day Protection for SonarQube

by SonarSource

Add SAML/OIDC SSO to SonarQube with Authenticated Proxy — Shield Code Quality Data

Start Free Trial See How It Works
Overview

Why SonarQube Needs an Authenticated Proxy

SonarQube is the leading code quality and security analysis platform, scanning millions of lines of code for vulnerabilities, bugs, and code smells. SonarQube instances contain a detailed map of every security vulnerability in your codebase — a treasure trove for attackers who can see exactly which vulnerabilities to exploit. Without proper access controls, SonarQube effectively publishes your security weaknesses internally. OnePAM secures SonarQube by adding enterprise SSO via its HTTP header authentication feature (sonar.web.sso). Users authenticate through your corporate IdP, and OnePAM handles the identity injection. Only authenticated, authorized users can access code quality and security data, and zero-day vulnerabilities in SonarQube itself are shielded from unauthenticated exploitation.

HTTP Header Authentication
X-Forwarded-Login

SonarQube supports SSO via HTTP headers when sonar.web.sso.enable=true. OnePAM injects X-Forwarded-Login (username), X-Forwarded-Name (display name), X-Forwarded-Email (email), and X-Forwarded-Groups (group memberships) headers on every request.

Zero-Day Risk Profile

SonarQube Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

SonarQube has had critical vulnerabilities including authentication bypass
Code security scan results reveal exactly which vulnerabilities exist in your codebase
SonarQube API exposes security hotspots, vulnerability details, and remediation advice
Publicly exposed SonarQube instances have been a documented attack vector
The Challenge

Security Challenges with SonarQube

These are the risks organizations face when SonarQube is not behind an authenticated proxy.

Vulnerability Map Exposure

SonarQube contains a complete catalog of security vulnerabilities in your code. Unauthorized access gives attackers a roadmap to exploit your applications.

Authentication Bypass Risk

SonarQube has had authentication bypass CVEs. Without a proxy layer, these vulnerabilities provide direct access to your security findings.

Credential Management

SonarQube's built-in user management creates another credential silo. Many organizations use basic auth or no auth for internal instances.

SAML Complexity

SonarQube's built-in SAML support (Developer Edition+) is complex to configure and limited to paid editions.

Branch Security Data

Branch analysis results expose security vulnerabilities in feature branches before they're reviewed and fixed.

API Access Control

SonarQube's REST API allows programmatic access to vulnerability data. Without proper controls, automated tools can extract security findings.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to SonarQube

A step-by-step guide to deploying OnePAM's authenticated proxy in front of SonarQube.

1

Deploy OnePAM as SonarQube's Proxy

Place OnePAM in front of SonarQube, making it the sole entry point on ports 80/443.

SonarQube is configured to listen on localhost only. OnePAM intercepts all traffic and enforces authentication before any request reaches SonarQube.
2

Configure Your IdP

Connect OnePAM to your SAML 2.0 or OIDC identity provider — Okta, Azure AD, Google Workspace, or any compliant provider.

OnePAM handles the full authentication flow including MFA enforcement, assertion validation, and session management.
3

Enable SonarQube SSO Headers

Configure SonarQube's HTTP header SSO (sonar.web.sso.enable=true) to trust OnePAM's identity headers.

SonarQube reads X-Forwarded-Login (username), X-Forwarded-Name (display name), X-Forwarded-Email, and X-Forwarded-Groups from OnePAM's proxied requests.
4

Map Groups and Permissions

OnePAM passes IdP group memberships via the X-Forwarded-Groups header for automatic SonarQube permission assignment.

Developers see their projects, security team sees vulnerability dashboards, and managers see quality gate status — all based on IdP group membership.
5

Monitor and Audit

Track who accessed which code quality data, when, and with what authentication method.

OnePAM's audit trail records every SonarQube access event with IdP context. Session recording captures exactly what security data was viewed.
Business Impact

Benefits of Securing SonarQube with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of SonarQube.

Protect Your Vulnerability Map

Only authenticated, authorized users can see your code's security vulnerabilities. Attackers can't use SonarQube as a recon tool.

Zero unauthorized vulnerability access

SSO for SonarQube Community

OnePAM provides SAML/OIDC SSO for SonarQube Community Edition — no need for Developer or Enterprise Edition licensing.

Enterprise SSO for free SonarQube

Shield from SonarQube CVEs

Authentication bypass and RCE vulnerabilities in SonarQube cannot be exploited when OnePAM enforces identity verification.

CVEs blocked at proxy layer

Centralized Developer Identity

Developers use their corporate credentials — no separate SonarQube accounts or passwords to manage.

Zero SonarQube passwords

Audit Security Data Access

Know exactly who viewed vulnerability reports, security hotspots, and code quality data.

Complete access visibility

Automatic Group Sync

Project permissions update automatically when developers change teams in your IdP.

Zero manual permission management
SSO Features

SonarQube SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for SonarQube.

SAML 2.0 & OIDC SSO via SonarQube HTTP header SSO
X-Forwarded-Login/Name/Email/Groups header injection
Automatic user provisioning from IdP attributes
Group-to-project permission mapping
Session recording for security audit access
IP and geo-restriction for code analysis access
Device trust verification
API access policies and auditing
Quality gate notification policies
Multi-project access control from IdP groups
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield SonarQube from exploitation.

SonarQube isolated from direct network access
End-to-end TLS encryption
Request-level identity verification
Protection against SonarQube authentication bypass CVEs
API endpoint filtering and rate limiting
Automatic session termination on IdP sign-out
Real-World Scenarios

SonarQube SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of SonarQube.

1
Development teams reviewing code quality with SSO and per-project access controls
2
Security teams accessing vulnerability dashboards with MFA and session recording
3
CI/CD pipelines using API tokens for automated scanning while web sessions require SSO
4
Compliance officers auditing code security practices with recorded sessions
5
Multi-tenant SonarQube access for separate development teams or business units
6
Protecting SonarQube instances from internet exposure while enabling remote developer access
Frequently Asked Questions

SonarQube SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for SonarQube.

Does OnePAM work with SonarQube Community Edition?

Yes. SonarQube's HTTP header SSO feature (sonar.web.sso) is available in all editions including Community. OnePAM provides enterprise SSO without requiring SonarQube Developer or Enterprise Edition.

How does SonarQube know which user is authenticated?

OnePAM injects four HTTP headers: X-Forwarded-Login (username), X-Forwarded-Name (display name), X-Forwarded-Email (email address), and X-Forwarded-Groups (comma-separated group list). SonarQube reads these when sonar.web.sso.enable=true.

Can CI/CD scanners still authenticate via API tokens?

Yes. OnePAM supports path-based policies. The /api/ endpoints can be configured to accept SonarQube API tokens for automated scanning, while interactive browser sessions require full SSO authentication.

What about SonarQube quality gate webhooks?

Outbound webhooks from SonarQube (quality gate notifications) are not affected by OnePAM, which only controls inbound access.

Can we see who viewed specific vulnerability reports?

Yes. OnePAM logs every HTTP request with the authenticated user identity. Combined with session recording, you can track exactly who accessed which SonarQube pages and vulnerability details.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure SonarQube with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no SonarQube code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps