koral--
commented
3 years ago I understand that point of view. On one hand the properties file (if somehow downloaded from working dir) will contain a plain text with token. One the other hand its is not printed at all to log unlike commadline invocations. Secrets are stripped but user may hardcode token without saving in a secret. Moreover the commadline has lesser length limitation than file size. But reaching any of those limits in case of sonar config is not so probable. There is no a single answer which solution is better I think.
I was just wondering if it really is a good idea to just push all the parameters into the" will end up there, in plain text.
sonar-project.propertiesfile. As also stuff like "sonar.login=Maybe using command line arguments instead would solve this? e.g.
-Dsonar.login=<token>At least Bitrise "redacts" stuff coming from "Secrets" in the build logs.
But as I'm not an info sec pro, I'm not quite sure if that solution is really secure in the end either.
Anyway as a reminder: One should definitely use access tokens that only have the minimum amount of permissions (only "perform analysis" I would ay) and the token should be stored in Bitrise "Secrets".