The first question that should be answered when setting the security strategy for SonarQube is: Can anonymous users browse the SonarQube instance or is authentication be required?
To force user authentication, log in as a system administrator, go to Administration > Configuration > General Settings > Security, and set the Force user authentication property to true.
Authentication can be managed through a number of mechanisms :
Via the SonarQube built-in users/groups database
Via external identity providers such as an LDAP server (including LDAP Service of Active Directory), GitHub etc. See the Authentication & Authorization section of the Plugin Library.
Via HTTP headers: SONAR-5430 - User authentication by HTTP headerClosed
This can be enabled in sonar.properties (property sonar.web.sso.enable). Refer to your Reverse Proxy documentation for guidance on how to feed and forward the appropriate headers accordingly.
When you create a user in SonarQube's own database, it is considered as local and will only be authenticated against SonarQube's own user/group database rather than against any external tool (LDAP, Active Directory, Crowd, etc.). By default admin is a local account.
Similarly, all non-local accounts will be authenticated only against the external tool.
An Administrator can manage tokens on a user's behalf via Administration > Security > Users. From here, click in the user's Tokens column to see the user's existing tokens, and either revoke existing tokens or generate new ones. Once established, a token is the only credential needed to run an analysis. Pass it as the value to the sonar.login property.
Default Admin Credentials
When installing SonarQube, a default user with Administer System permission is created automatically:
I lost the admin password
In case you lost the admin password of your SonarQube instance, you can reset it by executing the following SQL request on the database schema:
update users set crypted_password =
where login =
This will reset the password to admin.