I am using SonarQube on prem with ADO pipelines and want to disable automatic project creation during prepare analysis task. Online doc suggests removing the SQB project creation permissions but only I have it currently, yet dev team is still able to create from the pipelines.
Does the token that is being used in the service connection for the pipelines belong to your account?
Yes, I selected “global analysis token” with no expiration. Does the token need to be generated from a less privileged SQB account?
I tried generating a token from non-admin user and only saw “user token” in the dropdown, this did not work Run analysis task failed. I then gave this user permission for global analysis execution, then was able to see “global analysis” and generate.
Is this the recommended approach with respect to least privilege principle?
This is a good approach.
Remember that you can also set this permission (Execute Analysis) at the project level and/or in the default permission template for new projects.
Some trivia: global analysis tokens couldn’t provision projects, but after user feedback, this capability was added.