The first question that should be answered when setting the security strategy for SonarQube is: Can anonymous users browse the SonarQube instance or is authentication be required?
To force user authentication, log in as a system administrator, go to Administration > Configuration > General Settings > Security, and set the Force user authentication property to
Authentication can be managed through a number of mechanisms :
- Via the SonarQube built-in users/groups database
Via external identity providers such as an LDAP server (including LDAP Service of Active Directory), GitHub etc. See the Authentication & Authorization section of the Plugin Library.
- Via HTTP headers
When you create a user in SonarQube's own database, it is considered as local and will only be authenticated against SonarQube's own user/group database rather than against any external tool (LDAP, Active Directory, Crowd, etc.). By default
admin is a local account.
Similarly, all non-local accounts will be authenticated only against the external tool.
An Administrator can manage tokens on a user's behalf via Administration > Security > Users. From here, click in the user's Tokens column to see the user's existing tokens, and either revoke existing tokens or generate new ones. Once established, a token is the only credential needed to run an analysis. Pass it as the value to the
Default Admin Credentials
When installing SonarQube, a default user with Administer System permission is created automatically:
- Login: admin
- Password: admin
I lost the admin password
In case you lost the
admin password of your SonarQube instance, you can reset it by executing the following query:
This will reset the password to