The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Secrets, Tokens and Credentials in SonarQube

This document lists all secrets, tokens and credentials that can be configured and managed by an administrator user in SonarQube Server.

List of credentials

Credentials typeUsageOfficial documentation linkComment
Tokens
User tokensAuthenticate to SonarQube Web APIUser TokensProvides traceability and reflects user permissions. Suitable for manual/API usage.
Project analysis tokensRun analysis on a specific projectProject analysis tokensRecommended for CI/CD. Limits access to a single project, reducing impact if compromised (least privilege).
Global analysis tokensRun analysis on all projectsGlobal analysis tokensShould not be used by default. Grants access to all projects and violates the principle of least privilege. Use only in exceptional cases where project-scoped tokens cannot be applied.
Other
User passwordsLocal user authentication (fallback when SSO is not used)Changing passwordCannot be fully disabled. Should not be used when SSO is enabled; access must be enforced via external Identity Provider.
Note

SonarQube does not support API Keys or SSH keys. Authentication is primarily handled through tokens and external identity providers.

Credential Configuration Parameters

This section lists all parameters available for credential configuration. Each parameter can be set by an administrator through the Admin UI, REST API request, or defined in a configuration file.

Single Sign-on Authentication

Software Factory recommends implementing SAML-based authentication for Single Sign-On (SSO).

We also advise not using password authentication for the web interface.

Warning

SonarQube does not provide native 2FA support. Multi-factor authentication must be enforced through an external Identity Provider (e.g., SAML or OAuth).

Credentials typeParametersConfiguration locationAdmin panel configurationDefault configurationRecommendationOfficial documentation link
Access tokensLifetime limitOnly in Admin UIAdministration → Configuration → General Settings → Security In Administration panel go to Configuration > General Settings > Security , look for Maximum allowed lifetime for token section, clink on Dropdown, choose the lifetime token period desired and then select SaveNo expiration90 daysMaximum allowed lifetime for token
Note

Administrators can generate and revoke user tokens on behalf of any user. Token lifetime policies apply only to newly created tokens and do not affect existing ones. Therefore, when introducing or tightening a token lifetime policy, previously created tokens should be reviewed and revoked as needed to ensure compliance with the new policy.