Sonarqube

Bearer auth:

curl -sSf -H "Authorization: Bearer $SONAR_TOKEN" \
  "$SONAR_HOST_URL/api/authentication/validate"

Basic auth:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/authentication/validate"

Common API calls

Issues for a PR (SonarCloud):

SONAR_HOST_URL=${SONAR_HOST_URL:-https://sonarcloud.io}
curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&pullRequest=<pr>&statuses=OPEN,CONFIRMED"

If the API returns 400, retry without statuses and ensure the organization parameter is set:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&pullRequest=<pr>"

Issues for a branch:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&branch=<branch>&statuses=OPEN,CONFIRMED"

Leak-period filter (may require a component key; remove if it 400s):

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&componentKeys=<componentKey>&sinceLeakPeriod=true"

Quality gate status:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/qualitygates/project_status?organization=<org>&projectKey=<projectKey>&pullRequest=<pr>"

Issue details (SonarCloud may 404 on issues/show; use search by issue key):

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&issues=<issueKey>"

Mapping issues to files

• component fields are typically org_projectKey:path/to/file.
• Strip the project prefix to map to local paths, then jump to line.

Quick jq view:

jq -r '.issues[] | {key,rule,severity,type,component,line,message} | @json'

Troubleshooting

• 401/403: token missing or insufficient permissions (needs Browse access to the project/org).
• 400: remove optional query params or confirm organization and projectKeys values; sinceLeakPeriod can require componentKeys.
• Empty results: ensure the PR/branch has a completed Sonar analysis run.