tschaffter
commented
9 months ago About SonarCloud
On SonarQube, we now have analysis tokens (projects bound, or global) in addition to the standard user tokens
Analysis tokens don't seem to be available for SonarCloud:
EDIT: ~There is a way to generate project-specific token (see below). It's not clear whether they are limited to running analysis or if they have admin access to the project. The former would make the most sense.~
EDIT2: The above statement was actually wrong. What I thought was project specific tokens are actually user tokens. These token can be found in the User profile > Security.
- SCCOMM-11: Users should be able to create analysis token
- Product Roadmap entry for analyzing external Pull Requests (you can also vote there for this feature)
Other projects are tracking the issue of not having access to analysis tokens:
Project-specific token
- Go to SonarCloud.io
- Go to the page of a project
- Click on Administration > Analysis Method
- A sonar token for this project can be found, e.g. by clicking on "With GitHub Actions"
- The sonar token displayed for one project is different from the token from another project
- These tokens can be regenerated
What product(s) is this story for?
Sage Monorepo
As a user, I want
No response
Description
Sage Monorepo is a public repo that accept PRs from outside of the organization. The goal of this PR is to explore the security risks associated with the use of GH secrets.
Acceptance criteria
No response
Tasks
Anything else?
References:
Have you linked this story to a GitHub Project?