Skip to main content
__wf_reserved_inherit

SonarQube Token

Description

General

  • Documentation: https://docs.sonarqube.org/latest/extend/web-api/
  • Summary: SonarQube is an open-source platform for continuous inspection of code quality and detection of code vulnerabilities. SonarQube provides a web API to access its functionalities from applications. This detector focuses on detecting the old token format (which is scope-agnostic) and the new prefixed user, global analysis and project analysis tokens used to authenticate API calls.
  • IPs allowlist: This feature is not supported for SaaS instances. Note that SonarQube can be self-hosted and IP allowlisting can be enforced directly on the concerned machine.
  • Scopes: Permissions associated to a SonarQube token depend on the type of token: - User Tokens: These tokens can be used to run analysis and to invoke web services, based on the token author's permissions. - Project Analysis Tokens: These tokens can be used to run analysis on a specific project. - Global Analysis Tokens: These tokens can be used to run analysis on every project.

Revoke the secret

The tokens can be revoked from the security tab of accounts. For On-Premise instances of SonarQube go to User > My Account > Security and click on the Revoke button.

Check for suspicious activity

No extensive logs are provided on the SaaS version of SonarQube. Yet, the "last used" date is available and can give insights on suspicious activities.

Details for Sonarqube token

  • Family: Api

  • Category: Code analysis

  • Company: SonarQube

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 37.98

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions: []
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: true
- type: ContentWhitelistPreValidator
  patterns:
    - sonar

Examples

- text: |
    SONAR_TOKEN="8542358fa39f75d30ca699bc27c57335e047c162"
  apikey: 8542358fa39f75d30ca699bc27c57335e047c162

Details for Sonarqube token prefixed

  • Family: Api

  • Category: Code analysis

  • Company: SonarQube

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 124.2

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions: []
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: true
- type: ContentWhitelistPreValidator
  patterns:
    - sq[uap]_

Examples

- text: |
    sonar.login=sqp_5a03f4395033c714f44cddfabb60fe2a65fcb4bd
  apikey: sqp_5a03f4395033c714f44cddfabb60fe2a65fcb4bd

- text: |
    sonar.login=squ_0a81f6490875e062f79ccdeace23ac3c68dac6ec
  apikey: squ_0a81f6490875e062f79ccdeace23ac3c68dac6ec
__wf_reserved_inherit__wf_reserved_inherit

Something we didn’t cover?

__wf_reserved_inherit

See our Roadmap

__wf_reserved_inherit

Subscribe on GitHub

__wf_reserved_inherit

Submit a request

__wf_reserved_inherit

API status