You can find out more about our SonarQube plugin in our blog post.


The RIPS SonarQube plugin lets you run scans from SonarQube and imports issues from the corresponding RIPS scans to SonarQube.

To use the RIPS SonarQube plugin within Java or PHP projects, you have to install the associated SonarQube default plugin for the language.

Difference to SonarPHP/Java/JavaScript

SonarPHP/Java/JavaScript does not perform real security analysis but only reports signature matches when suspicious PHP/Java/JavaScript features such as "eval()" are used in your code (see SonarPHP Rules/SonarJava Rules/SonarJavaScript Rules). It does not analyze the data flow of user input into this eval() statement and thus cannot decide if this is an exploitable vulnerability for an attacker that can modify the PHP/Java/JavaScript code that is evaluated, or if it is simply a bad coding practice with static PHP/Java code being evaluated. Hence, SonarPHP/Java/JavaScript cannot report real security issues such as Cross-Site Scripting, SQL injection or any other OWASP Top 10 issues.

You can find more information on how this pattern matching approach compares to our static code analysis approach in our blog post.

SonarQube Setup

  1. Download and install Java 8 JRE (
  2. Download and install SonarQube ( The plugin was developed for SonarQube version 6.7.1 and should work on newer versions. Older versions are currently not supported, although you are free to try them.
  3. Install the SonarPHP/Java/JavaScript plugin (

Please refer to the SonarQube documentation for more details concerning SonarQube itself:

To control access to scanning and amongst others this plugin within SonarQube, please refer to the corresponding pages in the SonarQube documentation:


PluginSonarQubeRIPS APIDownload
2.6.0 7.9.x3.xLink

RIPS Plugin Setup

The RIPS plugin for SonarQube is currently not in the SonarQube plugin repository. Hence, at the time being, you will need to install it manually:

  1. Obtain the RIPS plugin file (see table above).
  2. Move the plugin file to <your SonarQube install directory>/extensions/plugins/.
  3. Restart SonarQube.
  4. You may have to activate the RIPSQube quality profile for projects to start using the plugin. See the image below for details: simply click on the marked interface elements in the order specified:

Note that you can also associate the quality profile with projects by selecting the quality profile in the project directly. Please refer to the SonarQube documentation for details if you prefer to do it this way. Also see section 'Scan Configuration'.

Alternatively you can also select the RIPS profile as default or add RIPS rules to another PHP profile of your choice.

Plugin Configuration

You can change the general plugin settings by going to Administration and selecting RIPS on the left side of the screen when you are in the Configuration tab.

Configuration Parameters

  • Base URL: define the API's base URL of the RIPS instance you are going to use.
  • E-Mail: defines the user account, used if none is specified by the scanner client itself.
  • Password: defines the password of  the user account, used if none is specified by the scanner client itself.
  • UI URL: define the UI's base URL of the RIPS instance you are going to use.

Scan Configuration

In order to scan a project with RIPS you will need to add some configuration parameters to your file. Following parameters are available:

  • ripsqube.username (required): Your RIPS user account email.
  • ripsqube.password (required): Your RIPS user account password.
  • ripsqube.baseUrl (optional): Use this field to overwrite the default API URL for this project only.
  • ripsqube.applicationId (optional): The RIPS application ID with which to associate this SonarQube project (note: the application must exist and is not automatically created)
  • ripsqube.applicationName (optional): If no applicationId is given, the integration will use a existing application associated with this name. If no application exists, it will be created and the best matching quota will be chosen. The VersionPattern variables can be used here too.
    • If no applicationName is set, the plugin will fallback to the property sonar.projectName first and than to sonar.projectKey.
  • ripsqube.blocker (optional): Custom threshold for blocker vulnerabilities.
  • ripsqube.critical (optional): Custom threshold for critical vulnerabilities.
  • ripsqube.major (optional): Custom threshold for major vulnerabilities.
  • ripsqube.analysisDepth (optional): Overwrite default analysis depth (5).
  • ripsqube.profileId (optional): Overwrite default analysis profile.
  • ripsqube.scanTimeout (optional): Overwrite default scan timeout (5) in hours.
  • ripsqube.versionPattern (optional): Default value "{isoDateTime}".
  • ripsqube.projectSensor (optional): If true, runs the sensor only once on project level and for each module if set to false. Defaults to false.

The codeStored and uploadRemoved options should be configured in the used profile.

Version Pattern

Insert timestamp of the scan starting time.
Insert "SonarQube".
Insert current build number.
Insert module key.
Insert name of current branch. (SonarQube Developer Edtion required)

Viewing Scan Results

The scan results can be viewed together with all other project issues in the SonarQube web interface. All issues created by RIPS are vulnerabilities and tagged with the rips tag.

Not sure how to start a scan? The SonarQube documentation also provides helpful information on this topic:


Also see our blog post about the RIPS SonarQube PHP plugin: