The ICTU SonarQube container image has not implemented any hardening, but relies on the upstream SonarQube container image. In order to stay up to date, monitor SonarQube security findings and update accordingly.
Only the latest version of the ICTU SonarQube container image is currently being supported with security updates. The intention is to keep the container image based on a recent SonarQube version, there is no incentive to patch older tags.
You can privately report a vulnerability issue in this repository's issue tracker. The aim is to get back to you within 24 hours, with a confirmation of the issue and a brief action plan or a request for more information.