> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a SonarQube connector

> C1 provides identity governance and just-in-time provisioning for SonarQube. Integrate your SonarQube instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource             | Sync                                                          | Provision                                                     |
| :------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Users                | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Groups               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Global Permissions   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Permission Templates | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Projects             | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

The SonarQube connector syncs active users, groups, global permissions (system-wide roles), permission templates (custom project-level roles), and projects with their permission assignments.

This connector supports the following provisioning operations:

* **Users**: Create new local users (with auto-generated passwords) and deprovision users via soft delete (deactivation)
* **Groups**: Add and remove users from groups
* **Global Permissions**: Assign and revoke system-wide permissions to users
* **Permission Templates**: Assign and revoke specific permissions within permission templates to users (`admin`, `user`, `codeviewer`, `issueadmin`, `securityhotspotadmin`, `scan`)
* **Projects**: Assign and revoke project-level permissions to users (`admin`, `issueadmin`, `securityhotspotadmin`, `scan`)

<Warning>
  **User deactivation warning**

  When a deactivated SonarQube user is later reactivated (via SonarQube UI or API), they lose **all** group memberships and permission assignments. They are treated as a brand-new user. Only basic identity data (login, name) is retained. Plan reactivations accordingly.
</Warning>

<Note>
  The SonarQube v2 Users API returns only active users by default; the connector does not apply an additional filter on top of that. If the API ever returns inactive users, the connector represents them with a disabled status.
</Note>

<Note>
  **Grant expansion supported.** When a group has a permission assigned via SonarQube UI (global or project-level), all members of that group automatically inherit that permission through grant expansion. Group permission assignments are read-only — they are synced but not provisioned through the connector.
</Note>

## Requirements

* **SonarQube Server 10.0+** or **SonarQube Cloud**
* A SonarQube API token generated by a user with **Administer System** global permission

<Note>
  Bearer token authentication (used by this connector) is only supported in SonarQube 10.0 and later. SonarQube Server versions prior to 10.0 are not supported.
</Note>

## Gather SonarQube credentials

Configuring the connector requires a SonarQube API token. Gather this credential before you move on.

### Generate a SonarQube API token

<Steps>
  <Step>
    Log in to your SonarQube instance with an administrator account (the account must have **Administer System** global permission).
  </Step>

  <Step>
    Click on your profile avatar in the top-right corner and navigate to **My Account** → **Security**.
  </Step>

  <Step>
    Under **Generate Tokens**, enter a token name (for example, `C1`).
  </Step>

  <Step>
    Select **User Token** as the token type.
  </Step>

  <Step>
    Click **Generate** and copy the token immediately — it will not be shown again.
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the SonarQube connector

<Warning>
  **To complete this task, you'll need:**

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Your SonarQube instance URL and the API token generated above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **SonarQube** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new SonarQube connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector and click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter your SonarQube instance URL in the **SonarQube URL** field (for example, `https://sonarqube.example.com`).
      </Step>

      <Step>
        Paste the API token you generated into the **SonarQube Access Token** field.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your SonarQube connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the SonarQube connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [GitHub repository](https://github.com/conductorone/baton-sonarqube): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new SonarQube connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new SonarQube connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector and click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.
        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your SonarQube connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-sonarqube-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-sonarqube-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # SonarQube credentials
      BATON_SONARQUBE_URL: <SonarQube instance URL, e.g. https://sonarqube.example.com>
      BATON_SONARQUBE_ACCESS_TOKEN: <SonarQube API token>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    See the connector's [README](https://github.com/conductorone/baton-sonarqube) or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-sonarqube.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-sonarqube
      labels:
        app: baton-sonarqube
    spec:
      selector:
        matchLabels:
          app: baton-sonarqube
      template:
        metadata:
          labels:
            app: baton-sonarqube
            baton: true
            baton-app: sonarqube
        spec:
          containers:
          - name: baton-sonarqube
            image: ghcr.io/conductorone/baton-sonarqube:latest
            imagePullPolicy: Always
            env:
            - name: BATON_HOST_ID
              value: baton-sonarqube
            envFrom:
            - secretRef:
                name: baton-sonarqube-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the SonarQube connector to. SonarQube data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your SonarQube connector is now pulling access data into C1.
  </Tab>
</Tabs>

## Known limitations

### Project permissions

The connector supports 4 project-level permissions for provisioning: `admin`, `issueadmin`, `securityhotspotadmin`, and `scan`. The `user` (Browse) and `codeviewer` (See Source Code) permissions are **not supported** for provisioning because:

* For **public projects**: These permissions are implicit — all users automatically have access.
* For **private projects**: Access is controlled by project visibility settings.

Note that `user` and `codeviewer` **are** provisionable at the permission template level. Permission templates apply these permissions to projects when the template is associated with a project, rather than assigning them to individual projects directly.

### SAML and federated users

SAML and federated users are synced as read-only. Group memberships and global permissions can be assigned to these users, but the connector cannot create or delete federated user accounts.

### Password generation

When creating new local users, the connector generates a random password with a minimum length of 12 characters (longer if the configured credential policy requires it). The password may include special characters. Instruct new users to reset their password on first login.