Understanding SonarQube API Import and Sync Frequency with DefectDojo Integration

kzzz1 · 2026-06-02T15:30:34.992Z

Hello! Could someone confirm me my understanding of the sonarqube api import via adding api scan configuration? I have read that there is a sync every 3 hours. Does that sync is for the automatic pull of the sq issue to defectdojo? Like if a new sq scan is perform in my project, does dd will automatically sees it and import it?

5 comments

· Sorted by Oldest

Valentijn S.
·
·
There is no automation on the DD side, but you should be able to quite easily trigger DD to import the findings from SQ an a schedule via the DD REST API.
kzzz1
·
·
Do you know what the delta 3 hours here https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/settings.dist.py#L913 is meant for ? It refers to https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/tool_issue_updater.py and when I looked at it I had the impression that there was some form of automatic sync from dd? At least for the findings already imported maybe the status is updated? Maybe I got that wrong... So basically you are saying, I add a task in my pipeline via /import endoint with scan type=SonarQube Api Import, right after my Sonarqube scan tasks and that s it?
Valentijn S.
·
·
Almost forgot about that one, but that 3h job only syncs status. It doesn't import new findings. *3-hour sync = status updates only, NOT new finding import* The `update_findings_from_source_issues` task runs every 3h and: • Grabs all DD findings already linked to a SonarQube issue • Calls SQ API to check current status (OPEN/FIXED/FALSE-POSITIVE/WONTFIX) • Updates DD finding status to match New SQ scan → new issues → DD does *not* automatically pull them in. *Your pipeline plan is correct:* After each SQ scan, call: `POST /api/v2/import-scan/` with `scan_type=SonarQube API Import` Once imported, those findings get a SonarQube issue link → from then on their status auto-syncs every 3h (e.g. someone marks false positive in SQ → DD reflects it). *Tip:* Use `/reimport-scan/` instead of `/import-scan/` for recurring pipelines — it also closes DD findings that are no longer present in the latest SQ scan.
kzzz1
·
(edited)·
Wow awesome thank you for the explanation! I did some testing and found out that when I import using `scan_type=SonarQube API Import` and a specific branch for branch_tag (else than the principal branch on sq project), the hostspot's permalink is broken when I click on it (its fine for the issues). Do you think I should open an issue for this? I feel like just adding branch=mybranch in the hotspot url could fix that (it does in my browser)...
Valentijn S.
·
·
Are you able to test that suggestion and create a PR? We have no access to SonarQube to test this ourselves.

Valentijn S.
·
·
There is no automation on the DD side, but you should be able to quite easily trigger DD to import the findings from SQ an a schedule via the DD REST API.
kzzz1
·
·
Do you know what the delta 3 hours here https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/settings.dist.py#L913 is meant for ? It refers to https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/tool_issue_updater.py and when I looked at it I had the impression that there was some form of automatic sync from dd? At least for the findings already imported maybe the status is updated? Maybe I got that wrong... So basically you are saying, I add a task in my pipeline via /import endoint with scan type=SonarQube Api Import, right after my Sonarqube scan tasks and that s it?
Valentijn S.
·
·
Almost forgot about that one, but that 3h job only syncs status. It doesn't import new findings. *3-hour sync = status updates only, NOT new finding import* The `update_findings_from_source_issues` task runs every 3h and: • Grabs all DD findings already linked to a SonarQube issue • Calls SQ API to check current status (OPEN/FIXED/FALSE-POSITIVE/WONTFIX) • Updates DD finding status to match New SQ scan → new issues → DD does *not* automatically pull them in. *Your pipeline plan is correct:* After each SQ scan, call: `POST /api/v2/import-scan/` with `scan_type=SonarQube API Import` Once imported, those findings get a SonarQube issue link → from then on their status auto-syncs every 3h (e.g. someone marks false positive in SQ → DD reflects it). *Tip:* Use `/reimport-scan/` instead of `/import-scan/` for recurring pipelines — it also closes DD findings that are no longer present in the latest SQ scan.
kzzz1
·
(edited)·
Wow awesome thank you for the explanation! I did some testing and found out that when I import using `scan_type=SonarQube API Import` and a specific branch for branch_tag (else than the principal branch on sq project), the hostspot's permalink is broken when I click on it (its fine for the issues). Do you think I should open an issue for this? I feel like just adding branch=mybranch in the hotspot url could fix that (it does in my browser)...
Valentijn S.
·
·
Are you able to test that suggestion and create a PR? We have no access to SonarQube to test this ourselves.