version v7.2.
For up-to-date documentation, see the
latest version.
Secrets, Tokens and Credentials in SonarQube
2 minute read
This document lists all secrets, tokens and credentials that can be configured and managed by an administrator user in SonarQube Server.
List of credentials
| Credentials type | Usage | Official documentation link | Comment |
|---|---|---|---|
| Tokens | |||
| User tokens | Authenticate to SonarQube Web API | User Tokens | Provides traceability and reflects user permissions. Suitable for manual/API usage. |
| Project analysis tokens | Run analysis on a specific project | Project analysis tokens | Recommended for CI/CD. Limits access to a single project, reducing impact if compromised (least privilege). |
| Global analysis tokens | Run analysis on all projects | Global analysis tokens | Should not be used by default. Grants access to all projects and violates the principle of least privilege. Use only in exceptional cases where project-scoped tokens cannot be applied. |
| Other | |||
| User passwords | Local user authentication (fallback when SSO is not used) | Changing password | Cannot be fully disabled. Should not be used when SSO is enabled; access must be enforced via external Identity Provider. |
SonarQube does not support API Keys or SSH keys. Authentication is primarily handled through tokens and external identity providers.
Credential Configuration Parameters
This section lists all parameters available for credential configuration. Each parameter can be set by an administrator through the Admin UI, REST API request, or defined in a configuration file.
Software Factory recommends implementing SAML-based authentication for Single Sign-On (SSO).
We also advise not using password authentication for the web interface.
SonarQube does not provide native 2FA support. Multi-factor authentication must be enforced through an external Identity Provider (e.g., SAML or OAuth).
| Credentials type | Parameters | Configuration location | Admin panel configuration | Default configuration | Recommendation | Official documentation link |
|---|---|---|---|---|---|---|
| Access tokens | Lifetime limit | Only in Admin UI | Administration → Configuration → General Settings → Security In Administration panel go to Configuration > General Settings > Security , look for Maximum allowed lifetime for token section, clink on Dropdown, choose the lifetime token period desired and then select Save | No expiration | 90 days | Maximum allowed lifetime for token |
Administrators can generate and revoke user tokens on behalf of any user. Token lifetime policies apply only to newly created tokens and do not affect existing ones. Therefore, when introducing or tightening a token lifetime policy, previously created tokens should be reviewed and revoked as needed to ensure compliance with the new policy.