The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Secrets, Tokens and Credentials in SonarQube

This document lists all secrets, tokens and credentials that can be configured and managed by a non-administrator user in SonarQube.

For each item, a concise explanation of its usage and a link to the official documentation are provided.

TypeDescriptionDetails
User TokenFull user-level authentication token, inherits all user permissionsUser Token
Project Analysis TokenScoped token for running analyses on a single projectProject Analysis Token
Global Analysis TokenToken for running analyses on all projects in the instanceGlobal Analysis Token
Webhook SecretHMAC-SHA256 secret to verify authenticity of webhook payloadsWebhook Secret
Project Badge TokenAuto-generated token for displaying project metrics badgesProject Badge Token
DevOps Platform PATGitLab PAT for project import and Merge Request decorationDevOps Platform Integration
Login/Password (deprecated)Legacy authentication method, replaced by tokensLogin/Password

User Token

Description

Authentication token that allows a user to perform all actions the user can do via the web interface, without using their actual credentials (login/password).

  • Invoke SonarQube Web APIs (via Bearer or Basic HTTP authentication)
  • Run code analyses
  • Configure SonarLint/SonarQube for IDE in Connected Mode (mandatory) Inherits all permissions of the user who created it.

For example, a User Token from a global administrator gives full rights to the instance.

Configuration

  • Where to create:
    • User > My Account > Security
  • Parameters:
    • Token name, Type (User), Expiration date (recommended)
  • Usage:
    • sonar.token property or SONAR_TOKEN environment variable for analyses
    • in HTTP header for API calls
Important

Avoid using User Tokens for CICD pipeline.

Official Documentation

Project Analysis Token

Description

Project-specific authentication token that allows running analyses only on that particular project.

  • Run code analyses on the specified project
  • Invoke Web Services requiring “Execute Analysis” permission on the associated project Limited to the specific project it was created for.

If the token author loses “Execute Analysis” permissions on the project, the token becomes invalid.

Configuration

  • Where to create:
    • User > My Account > Security
  • Parameters:
    • Token name, Type (Project Analysis Token), Associated project, Expiration date (optional)
  • Usage:
    • sonar.token property or SONAR_TOKEN environment variable for project analyses

Official Documentation

Important

Token should be set as a masked variable in GitLab CICD settings

Global Analysis Token

Description

Authentication token that allows running analyses on all projects in the SonarQube instance.

  • Run code analyses on any project in the instance
  • Useful for multi-project CI/CD pipelines Valid for analyzing all projects.

If the token author loses the “Global Execute Analysis” permission, the token becomes invalid.

Configuration

  • Where to create:
    • User > My Account > Security
  • Parameters:
    • Token name, Type (Global Analysis Token), Expiration date (optional)
  • Usage:
    • sonar.token property or SONAR_TOKEN environment variable for analyses

Official Documentation

Token recommandations

Secure interactions with SonarQube require attention to token management practices. Below are some best practices to help maintain a secure environment:

Software Factory Recommendations
  • Use tokens instead of passwords for automated SonarQube interactions.
  • Define an expiration date, in accordance with the time of use required, to enhance security where applicable
  • Regularly rotate tokens to reduce the risk of misuse.
  • Revoke tokens immediately if they are no longer needed or compromised.
  • Generate tokens with only the necessary permissions for the task.
  • Generate unique tokens for different services or projects to enhance security.
  • Regularly review tokens rights and associated user accounts / permissions

Webhook Secret

Description

Webhooks are used to notify external services when a project analysis is done. An HTTP POST request including a JSON payload is sent to each of the provided URLs. Optional secret used to secure webhooks by generating an HMAC-SHA256 signature that verifies the authenticity and integrity of payloads sent by SonarQube.

  • Secure webhooks configured at project or global level
  • Verify that requests actually come from SonarQube and not from an unverified source
  • The HMAC signature is transmitted in the X-Sonar-Webhook-HMAC-SHA256 HTTP header

Configuration

  • Where to configure:
    • Project: Project Settings > Webhooks
    • Global: Administration > Configuration > Webhooks (requires admin rights)
  • Parameters:
    • Webhook name
    • Destination URL
    • Secret (random string of your choice)
  • Usage:
    • The secret is used by SonarQube to create a hash with each payload. The third-party service must validate this signature.
Warning

Ensure that any specified URL complies with your data classification and project constraints

Official Documentation

Project Badge Token

Description

Unique security token automatically generated for each project that allows displaying dynamic badges (metrics, Quality Gate status) on external web pages or third-party tools.

  • Display a project’s Quality Gate status on a GitHub/GitLab README
  • Expose specific metrics (bugs, vulnerabilities, code coverage, etc.) via a dynamic image
  • Include in external websites or documentation

Configuration

  • Where to configure:
    • Go to the project > Project Information (top right corner)
    • “Badges” section
  • Parameters:
    • Information type: Metric value or Quality Gate status
    • Metric to display (if type is Metric value)
    • Format: Markdown or Image URL

Official Documentation

DevOps Platform Integration - Personal Access Token (PAT)

This feature is disabled on TDP C2, but you can use sonar-report-issues template of

nextgen-cicd / step SonarQube

Description

Personal access tokens from DevOps platforms (GitLab) allowing SonarQube to connect to these platforms to import projects and decorate Pull/Merge Requests.

  • Import GitLab projects into SonarQube
  • Decorate Merge Requests with Quality Gate results
  • Access and list user’s GitLab projects

Configuration

  • Import:
    • Projects > Create project > From GitLab > Provide PAT with read_api scope
  • MR Decoration:
    • Automatically configured during import, or manually in Project Settings > Pull Request Decoration

Official Documentation

Login/Password Authentication (Deprecated)

Using tokens is strongly recommended instead as it is not considered as a robust

mechanism Traditional authentication method using login and password for analyses and API calls.

  • Historically used for authentication in analyses (sonar.login and sonar.password properties)
  • Still supported but discouraged
Last modified 30.01.2026: SonarQube Secret/Token list (4197abd)