SonarQube default credentials
Description
The SonarQube instance is configured with default administrative credentials that have not been changed from their factory settings. SonarQube ships with a default administrator account using the username admin and password admin. These credentials are publicly documented and widely known, making them a common target for attackers. Failure to change these default credentials leaves the SonarQube instance vulnerable to unauthorized access.
Remediation
Immediately change the default administrative credentials for SonarQube. Follow these steps:
1. Log in to the SonarQube web interface using the default credentials (username: admin, password: admin)
2. Navigate to Administration > Security > Users
3. Click on the settings icon next to the admin user and select Change password
4. Set a strong, unique password that meets complexity requirements (minimum 12 characters with uppercase, lowercase, numbers, and special characters)
5. Consider implementing additional security measures such as enabling LDAP/SAML authentication, enforcing multi-factor authentication, and applying the principle of least privilege by creating role-based accounts instead of using the admin account for daily operations
6. Regularly audit user accounts and remove any unused or unnecessary administrative accounts