Out of the box, SonarQube comes with a complete mechanism to manage security (authentication + authorization). Configuring security allows you to cover two main use cases:
- Secure a SonarQube instance by forcing authentication prior to accessing any page
- Make a given project invisible to anonymous users
- Restrict access to a project to a given group of users
- Restrict access to a project's source code (Code Viewer) to a given set of users
- Define who can administer a project (setting exclusion patterns, tuning plugins configuration for that project, etc.)
- Define who can administer a SonarQube instance
Delegating Authentication and Authorization to External Systems
In order to leverage existing enterprise infrastructure, SonarQube provides the capability to delegate authentication and authorization to external systems through plugins:
or Crowd with the SonarQube Crowd Plugin
. SSO is also supported through the SonarQube OpenID plugin.
Another aspect of security is the encryption of settings such as passwords. SonarQube provide a built-in mechanism to encrypt settings.