- Documentation: https://docs.sonarqube.org/latest/extend/web-api/
- Summary: SonarQube is an open-source platform for continuous inspection of code quality and detection of code vulnerabilities. SonarQube provides a web API to access its functionalities from applications. This detector focuses on detecting user tokens used to authenticate API calls.
- IPs allowlist: To the best of our knowledge, this feature is not supported for SaaS instances. Note that SonarQube can be self-hosted and IP allowlisting can be enforced directly on the concerned machine.
- Scopes: All credentials have the same scope.
The tokens can be revoked from the security tab of accounts. For On-Premise instances of SonarQube go to User > My Account > Security and click on the Revoke button.
No extensive logs are provided on the SaaS version of SonarQube. Yet, the "last used" date is available and can give insights on suspicious activities.
Category: Development tool
High recall: False
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: 35.86
- type: FilenameBanlistPreValidator banlist_extensions:  banlist_filenames:  check_binaries: false include_default_banlist_extensions: true- type: ContentWhitelistPreValidator patterns: - sonar
- text: > SONAR_TOKEN="1542358aa32f15c30ac609ec22f77835e047d162" apikey: 1542358aa32f15c30ac609ec22f77835e047d162