version v7.2.
For up-to-date documentation, see the
latest version.
Secrets, Tokens and Credentials in SonarQube
5 minute read
This document lists all secrets, tokens and credentials that can be configured and managed by a non-administrator user in SonarQube.
For each item, a concise explanation of its usage and a link to the official documentation are provided.
| Type | Description | Details |
|---|---|---|
| User Token | Full user-level authentication token, inherits all user permissions | User Token |
| Project Analysis Token | Scoped token for running analyses on a single project | Project Analysis Token |
| Global Analysis Token | Token for running analyses on all projects in the instance | Global Analysis Token |
| Webhook Secret | HMAC-SHA256 secret to verify authenticity of webhook payloads | Webhook Secret |
| Project Badge Token | Auto-generated token for displaying project metrics badges | Project Badge Token |
| DevOps Platform PAT | GitLab PAT for project import and Merge Request decoration | DevOps Platform Integration |
| Login/Password (deprecated) | Legacy authentication method, replaced by tokens | Login/Password |
User Token
Description
Authentication token that allows a user to perform all actions the user can do via the web interface, without using their actual credentials (login/password).
- Invoke SonarQube Web APIs (via Bearer or Basic HTTP authentication)
- Run code analyses
- Configure SonarLint/SonarQube for IDE in Connected Mode (mandatory) Inherits all permissions of the user who created it.
For example, a User Token from a global administrator gives full rights to the instance.
Configuration
- Where to create:
- User > My Account > Security
- Parameters:
- Token name, Type (User), Expiration date (recommended)
- Usage:
sonar.tokenproperty orSONAR_TOKENenvironment variable for analyses- in HTTP header for API calls
Avoid using User Tokens for CICD pipeline.
Official Documentation
Project Analysis Token
Description
Project-specific authentication token that allows running analyses only on that particular project.
- Run code analyses on the specified project
- Invoke Web Services requiring “Execute Analysis” permission on the associated project Limited to the specific project it was created for.
If the token author loses “Execute Analysis” permissions on the project, the token becomes invalid.
Configuration
- Where to create:
- User > My Account > Security
- Parameters:
- Token name, Type (Project Analysis Token), Associated project, Expiration date (optional)
- Usage:
sonar.tokenproperty orSONAR_TOKENenvironment variable for project analyses
Official Documentation
Token should be set as a masked variable in GitLab CICD settings
Global Analysis Token
Description
Authentication token that allows running analyses on all projects in the SonarQube instance.
- Run code analyses on any project in the instance
- Useful for multi-project CI/CD pipelines Valid for analyzing all projects.
If the token author loses the “Global Execute Analysis” permission, the token becomes invalid.
Configuration
- Where to create:
- User > My Account > Security
- Parameters:
- Token name, Type (Global Analysis Token), Expiration date (optional)
- Usage:
sonar.tokenproperty orSONAR_TOKENenvironment variable for analyses
Official Documentation
Token recommandations
Secure interactions with SonarQube require attention to token management practices. Below are some best practices to help maintain a secure environment:
- Use tokens instead of passwords for automated SonarQube interactions.
- Define an expiration date, in accordance with the time of use required, to enhance security where applicable
- Regularly rotate tokens to reduce the risk of misuse.
- Revoke tokens immediately if they are no longer needed or compromised.
- Generate tokens with only the necessary permissions for the task.
- Generate unique tokens for different services or projects to enhance security.
- Regularly review tokens rights and associated user accounts / permissions
Webhook Secret
Description
Webhooks are used to notify external services when a project analysis is done.
An HTTP POST request including a JSON payload is sent to each of the provided URLs.
Optional secret used to secure webhooks by generating an HMAC-SHA256 signature that verifies the
authenticity and integrity of payloads sent by SonarQube.
- Secure webhooks configured at project or global level
- Verify that requests actually come from SonarQube and not from an unverified source
- The HMAC signature is transmitted in the
X-Sonar-Webhook-HMAC-SHA256HTTP header
Configuration
- Where to configure:
- Project: Project Settings > Webhooks
- Global: Administration > Configuration > Webhooks (requires admin rights)
- Parameters:
- Webhook name
- Destination URL
- Secret (random string of your choice)
- Usage:
- The secret is used by SonarQube to create a hash with each payload. The third-party service must validate this signature.
Ensure that any specified URL complies with your data classification and project constraints
Official Documentation
Project Badge Token
Description
Unique security token automatically generated for each project that allows displaying dynamic badges (metrics, Quality Gate status) on external web pages or third-party tools.
- Display a project’s Quality Gate status on a GitHub/GitLab README
- Expose specific metrics (bugs, vulnerabilities, code coverage, etc.) via a dynamic image
- Include in external websites or documentation
Configuration
- Where to configure:
- Go to the project > Project Information (top right corner)
- “Badges” section
- Parameters:
- Information type: Metric value or Quality Gate status
- Metric to display (if type is Metric value)
- Format: Markdown or Image URL
Official Documentation
DevOps Platform Integration - Personal Access Token (PAT)
sonar-report-issues template ofnextgen-cicd / step SonarQube
Description
Personal access tokens from DevOps platforms (GitLab) allowing SonarQube to connect to these platforms to import projects and decorate Pull/Merge Requests.
- Import GitLab projects into SonarQube
- Decorate Merge Requests with Quality Gate results
- Access and list user’s GitLab projects
Configuration
- Import:
- Projects > Create project > From GitLab > Provide PAT with
read_apiscope
- Projects > Create project > From GitLab > Provide PAT with
- MR Decoration:
- Automatically configured during import, or manually in Project Settings > Pull Request Decoration
Official Documentation
Login/Password Authentication (Deprecated)
mechanism Traditional authentication method using login and password for analyses and API calls.
- Historically used for authentication in analyses (
sonar.loginandsonar.passwordproperties) - Still supported but discouraged