The first question that should be answered when setting the security strategy for SonarQube is: Can anonymous users browse the SonarQube instance or is authentication be required? 

To force user authentication, log in as a system administrator, go to Administration > Configuration > General Settings > Security, and set the Force user authentication property to true. To allow users to sign up for a SonarQube account, set the Allow users to sign up property to true. 

Authentication Mechanisms

Authentication can be managed through a number of mechanisms :

• Via the SonarQube built-in users/groups database

• Via external identity providers such as an LDAP server (including LDAP Service of Active Directory), GitHub etc. See the Authentication & Authorization section of the Plugin Library.

• Via HTTP headers: SONAR-5430 - User authentication by HTTP headerCLOSED
  This can be enabled in sonar.properties (property sonar.sso.enable). Refer to your Reverse Proxy documentation for guidance on how to feed and forward the appropriate headers accordingly.

Technical Users

When you create a user in SonarQube's own database, it is considered as local and will only be authenticated against SonarQube's own user/group database rather than against any external tool (LDAP, Active Directory, Crowd, etc.). By default admin is a local account.

Similarly, all non-local accounts will be authenticated only against the external tool. 

An Administrator can manage tokens on a user's behalf via Administration > Security > Users. From here, click in the user's Tokens column to see the user's existing tokens, and either revoke existing tokens or generate new ones. Once established, a token is the only credential needed to run an analysis. Pass it as the value to the sonar.login property.

Default Admin Credentials

When installing SonarQube, a default user with Administer System permission is created automatically:

• Login: admin
• Password: admin

FAQ

I lost the admin password

In case you lost the admin password of your SonarQube instance, you can reset it by executing the following query:

update users set crypted_password = '88c991e39bb88b94178123a849606905ebf440f5', salt='6522f3c5007ae910ad690bb1bdbf264a34884c6d' where login = 'admin'

This will reset the password to admin.