Skip to main content
Version: Next

How to Protect Projects in SonarQube

This guide walks you through how to enable project permissions in SonarQube.

note

These tasks are intended to be completed as a system integrator.

Verify Keycloak Provides Group Membership

SonarQube will automatically grant users group membership as long as Keycloak provides the group membership properly in the SAML authentication response.

  1. Login to the Keycloak Master Realm.
  2. Switch to the SmoothGlue Realm.
  3. Go to Clients > SonarQube > Client Scopes > sonarqube-dedicated > Mappers.
  4. Make sure a mapper exists that has the following settings:
    • Name: groups
    • Mapper Type: Group List
    • Role Attribute Name: group
    • Single Role Attribute: ON
    • Full Group Path: ON

Verify Keycloak Groups Exist in SonarQube

SonarQube will automatically create users in its datastore if they do not exist, but it will not automatically create groups. Groups MUST be manually created to have users automatically placed into them at login.

For every Keycloak group you intend to use in SonarQube for access control:

  • The group name must match the full group path in Keycloak.
  • Group membership will be automatically managed to match the contents of the SAML responses from Keycloak.

Global Permissions

Once groups are properly set up, global permission settings can be assigned.

Under Administration > Security > Global Permissions, all items should be initially unchecked to start from least-access. Then, we will re-add appropriate permissions:

  • sonar-administrators: Should be granted Administer System, Administer Quality Gates, Administer Quality Profiles, and Create Projects
  • Any Keycloak Groups that you have added as SonarQube administrators should also be granted these same permissions (i.e., /SmoothGlue/admins).

Under Administration > Projects, the setting for Default Visibility of New Projects must be set to PRIVATE. This will ensure any new projects that get created default to a locked down permissions set.

Per Project Permissions

Under Administration > Projects, we will need to go through each project, one at a time, and validate the permissions.

For every project displayed:

  1. Click the kebab to see project actions, and select Edit Permissions.
  2. Set Permissions to PRIVATE.
  3. All items should be initially unchecked to start from least-access.
  4. sonar-administrators: Should be granted Browse, Administer Issues, Administer Security Hotspots, Administer.
  5. Any Keycloak groups that you added to control access to this project should be assigned permissions commensurate with the group's requirements.