Allow Analysis user to fetch Quality Gate Status

We want to reduce the permissions of the analysis user to a minimum, but we need to grant Browse permission to be able to wait for the Quality Gate.

Currently it is not possible to give the user only analysis permissions if you want to wait for the Quality Gate in an CI build. The user still needs to have browse permissions, which includes the possibility of manipulating issues assignments and even worse it provides a s list of existing project with meta information. Therefore it would be a nice improvement, if the analysis scope also would cover the necessary access for waitForQualityGate.

see Allow user with analyse permission to fetch quality gate status for the initial discussion.

Hi @simon.schrottner
we have been aware of this being a potential limitation, but we did not assign this topic any priority so far because we had no request from any SonarQube user about it yet.
So thanks for your feedback!

Just to be clear on why this is happening: the WaitForQualityGate stage uses the api/qualitygates/project_status SonarQube API end point which is indeed protected by the browse permission at project level.

1 Like