Are GitLab's group access tokens viable for SonarQube integration?


We are running a self-hosted GitLab together with a self-hosted SonarQube.
SonarQube documentation instructs us to use a technical user when integrating SonarQube to GitLab:

  • Personal Access Token: A GitLab user account is used to decorate Merge Requests. We recommend using a dedicated GitLab account with at least Reporter permissions (the account needs permission to leave comments). Use a personal access token from this account with the api scope authorized for the repositories you’re analyzing. Administrators can encrypt this token at Administration > Configuration > Encryption. See the Settings Encryption section of the Security page for more information. This personal access token is used to report your quality gate status to your pull requests. You’ll be asked for another personal access token for importing projects in the following section.

Now, GitLab does have technical users, in GitLab terms, bot users, that are created when you create group access tokens or project access tokens. However, SonarQube’s GitLab documentation is unclear on whether technical user refers to these or just regular user accounts not associated with a human.

As the docs are ambiguous, I went looking around in the forums and found these posts

I believe they suggest we cannot use group or project access tokens. Am I correct?
It would be nice if you could update the docs to be less ambiguous here, explicitly mentioning whether bot users work or don’t.

In our use case, since the SonarQube instance is not GitLab-wide but only used by one of our groups, group access token would be a perfect solution, as it does not use a seat (meaning it would be quite a bit cheaper for us!), not to mention the hassle of having an actual user with passwords and 2FA etc.


Welcome to the community!

I’m not understanding the distinction between a bot user and an account not associated with a human.

What’s meant in our docs by “technical user” is an account not associated with a human, which would presumably be a “local account”, i.e. one not managed by e.g. LDAP, GitHub, etc., but stored locally in the SonarQube DB (altho, I suppose it doesn’t have to be local).

The three threads you cite relate directly to SonarCloud - where you, as a user, wouldn’t be able to create a local account - and thus aren’t directly relevant to your questions.

Ehm… I’m not quite understanding this question either.

You won’t be able to generate a “group” token. Only user accounts have tokens. User accounts may or may not tie to human beings.

For any user account (with relevant permissions), you may create a project analysis token. Such tokens work only for analysis of the specific projects they were created for. User accounts with global analysis permissions may also create global tokens.

Regarding updating the docs, would you have found a cross-link to this page on generating and using tokens helpful?