Skip to main content

SonarQube Token



  • Documentation:
  • Summary: SonarQube is an open-source platform for continuous inspection of code quality and detection of code vulnerabilities. SonarQube provides a web API to access its functionalities from applications. This detector focuses on detecting user tokens used to authenticate API calls.
  • IPs allowlist: To the best of our knowledge, this feature is not supported for SaaS instances. Note that SonarQube can be self-hosted and IP allowlisting can be enforced directly on the concerned machine.
  • Scopes: All credentials have the same scope.

Revoke the secret#

The tokens can be revoked from the security tab of accounts. For On-Premise instances of SonarQube go to User > My Account > Security and click on the Revoke button.

Check for suspicious activity#

No extensive logs are provided on the SaaS version of SonarQube. Yet, the "last used" date is available and can give insights on suspicious activities.

Details for Sonarqube token#

  • Family: Api

  • Category: Development tool

  • Company: SonarQube

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 35.86

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions: []  banlist_filenames: []  check_binaries: false  include_default_banlist_extensions: true- type: ContentWhitelistPreValidator  patterns:  - sonar


- text: >    SONAR_TOKEN="1542358aa32f15c30ac609ec22f77835e047d162"  apikey: 1542358aa32f15c30ac609ec22f77835e047d162