Skip to main content

SonarQube Token

Description#

General#

  • Documentation: https://docs.sonarqube.org/latest/extend/web-api/
  • Summary: SonarQube is an open-source platform for continuous inspection of code quality and detection of code vulnerabilities. SonarQube provides a web API to access its functionalities from applications. This detector focuses on detecting the old token format (which is scope-agnostic) and the new prefixed user, global analysis and project analysis tokens used to authenticate API calls.
  • IPs allowlist: This feature is not supported for SaaS instances. Note that SonarQube can be self-hosted and IP allowlisting can be enforced directly on the concerned machine.
  • Scopes: Permissions associated to a SonarQube token depend on the type of token: - User Tokens: These tokens can be used to run analysis and to invoke web services, based on the token author's permissions. - Project Analysis Tokens: These tokens can be used to run analysis on a specific project. - Global Analysis Tokens: These tokens can be used to run analysis on every project.

Revoke the secret#

The tokens can be revoked from the security tab of accounts. For On-Premise instances of SonarQube go to User > My Account > Security and click on the Revoke button.

Check for suspicious activity#

No extensive logs are provided on the SaaS version of SonarQube. Yet, the "last used" date is available and can give insights on suspicious activities.

Details for Sonarqube token#

  • Family: Api

  • Category: Code analysis

  • Company: SonarQube

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 37.98

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions: []  banlist_filenames: []  check_binaries: false  include_default_banlist_extensions: true  ban_markup: true- type: ContentWhitelistPreValidator  patterns:  - sonar

Examples#

- text: >    SONAR_TOKEN="1542358aa32f15c30ac609ec22f77835e047d162"  apikey: 1542358aa32f15c30ac609ec22f77835e047d162

Details for Sonarqube token prefixed#

  • Family: Api

  • Category: Code analysis

  • Company: SonarQube

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 124.2

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions: []  banlist_filenames: []  check_binaries: false  include_default_banlist_extensions: true  ban_markup: true- type: ContentWhitelistPreValidator  patterns:  - sq[uap]_

Examples#

- text: >    sonar.login=sqp_9a88f6493075e010f74cbdabeb24fe8c68fab6bd  apikey: sqp_9a88f6493075e010f74cbdabeb24fe8c68fab6bd
- text: >    sonar.login=squ_9a88f6493075e010f74cbdabeb24fe8c68fab6bc  apikey: squ_9a88f6493075e010f74cbdabeb24fe8c68fab6bc