SonarQube Error: Invalid URL: loopback and wildcard addresses are not allowed for webhooks


To setup the context, let us consider a scenario where we have a Sonar Analysis being performed by SonarQube which has been triggered by a CI tool like Jenkins. To enable the result of the analysis performed in SonarQube to be passed back to Jenkins, we want to setup a webhook in SonarQube and provide the URL of the Jenkins server in the webhook followed by /sonarqube-webhook

But as we try to setup the URL in SonarQube, we get the error “Invalid URL: loopback and wildcard addresses are not allowed for webhooks”. Let us understand what this message means and it’ resolution.

Learn more about SonarQube:

👉 Guide to configure a webhook in SonarQube

👉 How to handle inprogress status for SonarQube Quality gate

👉 To read other posts regarding SonarQube Click here

What is a loopback and wildcard address

The loopback address means that any attempt to access this address will route to the same host computer. The most common IP addresses used on the loopback network are for IPv4 and ::1 for IPv6. We use a common domain name of localhost for these loopback addresses. The local addresses cannot be used in a webhook by default. Though they used to be allowed in the earlier versions of SonarQube by default. As mentioned in the tool, they are not allowed to prevent exposing the instance to security risks. 

In the case of wildcard address, it uses wilcard masks to allow or deny access to all the traffic from a network IP address.

While these are useful concepts, however, SonarQube does not allow these addresses to be used in the webhook URL by default.


The solution is to use private or public ip or use a DNS service to use a hostname. 

Webhook in SonarQube

In case, you are in the testing stage and want to be able to use local addresses for your testing, you can use the following option to use the local addresses by temporarily disabling the default option as shown below. Do not forget to reset the option once done with testing on local system. Goto Administration — > Configurations — >  Security

Security Configuration

In Security section, look for the option that says Enable local webhooks validation. This is enabled by default. You just need to disable it. You can enable it again once you are done with your testing.

Let us know if you found this post helpful.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *