Skip to main content

SonarQube Token

Description#

General#

  • Documentation: https://docs.sonarqube.org/latest/extend/web-api/
  • Summary: SonarQube is an open-source platform for continuous inspection of code quality and detection of code vulnerabilities. SonarQube provides a web API to access its functionalities from applications. This detector focuses on detecting user tokens used to authenticate API calls.
  • IPs allowlist: To the best of our knowledge, this feature is not supported for SaaS instances. Note that SonarQube can be self-hosted and IP allowlisting can be enforced directly on the concerned machine.
  • Scopes: All credentials have the same scope.

Revoke the secret#

The tokens can be revoked from the security tab of accounts. For On-Premise instances of SonarQube go to User > My Account > Security and click on the Revoke button.

Check for suspicious activity#

No extensive logs are provided on the SaaS version of SonarQube. Yet, the "last used" date is available and can give insights on suspicious activities.

Details for Sonarqube token#

  • Category: Development tool

  • Company: SonarQube

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 31.84

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - sonar

Examples#

- text: >    SONAR_TOKEN="1542358aa32f15c30ac609ec22f77835e047d162"  apikey: 1542358aa32f15c30ac609ec22f77835e047d162