SonarQube Token
#
Description#
General- Documentation: https://docs.sonarqube.org/latest/extend/web-api/
- Summary: SonarQube is an open-source platform for continuous inspection of code quality and detection of code vulnerabilities. SonarQube provides a web API to access its functionalities from applications. This detector focuses on detecting the old token format (which is scope-agnostic) and the new prefixed user, global analysis and project analysis tokens used to authenticate API calls.
- IPs allowlist: This feature is not supported for SaaS instances. Note that SonarQube can be self-hosted and IP allowlisting can be enforced directly on the concerned machine.
- Scopes: Permissions associated to a SonarQube token depend on the type of token: - User Tokens: These tokens can be used to run analysis and to invoke web services, based on the token author's permissions. - Project Analysis Tokens: These tokens can be used to run analysis on a specific project. - Global Analysis Tokens: These tokens can be used to run analysis on every project.
#
Revoke the secretThe tokens can be revoked from the security tab of accounts. For On-Premise instances of SonarQube go to User > My Account > Security and click on the Revoke button.
#
Check for suspicious activityNo extensive logs are provided on the SaaS version of SonarQube. Yet, the "last used" date is available and can give insights on suspicious activities.
Sonarqube token
#
Details for Family: Api
Category: Code analysis
Company: SonarQube
High recall: False
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: 37.98
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator banlist_extensions: [] banlist_filenames: [] check_binaries: false include_default_banlist_extensions: true ban_markup: true- type: ContentWhitelistPreValidator patterns: - sonar
#
Examples- text: > SONAR_TOKEN="1542358aa32f15c30ac609ec22f77835e047d162" apikey: 1542358aa32f15c30ac609ec22f77835e047d162
Sonarqube token prefixed
#
Details for Family: Api
Category: Code analysis
Company: SonarQube
High recall: False
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: 124.2
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator banlist_extensions: [] banlist_filenames: [] check_binaries: false include_default_banlist_extensions: true ban_markup: true- type: ContentWhitelistPreValidator patterns: - sq[uap]_
#
Examples- text: > sonar.login=sqp_9a88f6493075e010f74cbdabeb24fe8c68fab6bd apikey: sqp_9a88f6493075e010f74cbdabeb24fe8c68fab6bd
- text: > sonar.login=squ_9a88f6493075e010f74cbdabeb24fe8c68fab6bc apikey: squ_9a88f6493075e010f74cbdabeb24fe8c68fab6bc