Modify Sonarqube token and add outbound connection details

jeff-schnitter · web-flow · commit 1252a92a67f3 · 2026-02-03T16:20:17.000-08:00
Updated Sonarqube token variable and added outbound connection requirements.
diff --git a/README.relay.md b/README.relay.md
@@ -80,7 +80,7 @@ Generally the naming works like:
 | **GitHub App**        | Arg `-s app`, `GITHUB=https://github.com`, `GITHUB_API=https://api.github.com`, `GITHUB_GRAPHQL=https://api.github.com/graphql`, `GITHUB_APP_CLIENT_ID`, `GITHUB_APP_CLIENT_PEM` (either path to PEM or PEM contents), `GITHUB_INSTALLATION_ID` |
 | **Prometheus**        | `PROMETHEUS_API=http://mycompany.prometheus.internal`, `PROMETHEUS_USERNAME`, `PROMETHEUS_PASSWORD`                                                                                                                                             |
 | **Gitlab**            | `GITLAB_API=https://gitlab.com`, `GITLAB_TOKEN`                                                                                                                                                                                                 |
-| **Sonarqube**         | `SONARQUBE_API=https://sonarqube.mycompany.com`, `SONARQUBE_TOKEN`                                                                                                                                                                              |
+| **Sonarqube**         | `SONARQUBE_API=https://sonarqube.mycompany.com`, `SONAR_TOKEN`                                                                                                                                                                              |
 | **Bitbucket Cloud**   | `BITBUCKET_API=https://api.bitbucket.org`, `BITBUCKET_TOKEN`                                                                                                                                                                                    |
 | **Bitbucket Hosted**  | `BITBUCKET_API=https://bitbucket.mycompany.com`, `BITBUCKET_USERNAME`, `BITBUCKET_PASSWORD`                                                                                                                                                     |
 | **Jira**              | `JIRA_API=https://jira.mycompany.com`, `JIRA_USERNAME`, `JIRA_TOKEN`                                                                                                                                                                            |
@@ -112,12 +112,12 @@ graph TD
     CortexService -->|Github API Calls|SnykBrokerServer
 
     subgraph Cortex-Cloud
-        CortexService        
-        SnykBrokerServer
+        CortexService["CortexService<br/>api.getcortexapp.com"]           
+        SnykBrokerServer["SnykBrokerServer<br/>relay.cortex.io"]
     end
 
     subgraph Customer-Network
-        subgraph CortexAxonAgent
+        subgraph CortexAxonAgent["CortexAxonAgent - ghcr.io"]
             SnykBrokerClient
         end
         InternalGithub
@@ -158,6 +158,18 @@ proxy:
   certSecretName: my-proxy-ca-pem # name of the secret containing a .pem file with the CA certificate
 ```
 
+## Required Outbound Connections
+
+  You must allow outbound HTTPS (port 443) to:
+
+  | Endpoint | Purpose |
+  |----------|---------|
+  | `api.getcortexapp.com` | CortexService - Agent registration and API calls |
+  | `relay.cortex.io` | SnykBrokerServer - WebSocket tunnel for relayed requests |
+  | `ghcr.io` | GitHub Container Registry (for pulling the agent image) |
+
+  No inbound firewall ports need to be opened - the agent initiates all outbound connections.
+
 ## Understanding the Agent configuration
 
 Agent configuration is driven with an `accept.json` file which defines which outbound routes the agent can call in your environment.  There are built-in files for all of the supported integrations [here](agent/server/snykbroker/accept_files), but these files are not special, you can always create your own file and pass it with the `-f` flag, for example:
@@ -256,4 +268,4 @@ Which requires:
 1. Setting the `PLUGIN_DIRS` environment variable to a directory that contains your plugin files, such as `/plugins`
 2. Creating an executable file in that directory `my-plugin`.  For each invocation of an outbound request, this plugin will be executed and its `stdout` will be used as the value for the header `my-custom-header-plugin`.
 
-Currently plugins are ONLY supported for `headers`.
+Currently plugins are ONLY supported for `headers`.
