We are using sonarcloud with azure devops to analyze and act as a quality gate for our web projects.
A problem we see is that we need to give sonarcloud a PAT which in turn gives you possibilities to do a number of things in devops. Sometimes more than what we required.
Is there a way to use sonarcloud as a quality gate without issuing an access token?
The PAT allows SonarCloud to talk to ADO to do things like:
import & pre-configure your projects
reflect PR analysis results back to your repository
…
If you don’t want those things, it should still be possible to get by without them, but you’ll forego several of SonarCloud’s benefits.
I haven’t tested that this still works, but historically projects were configured on first analysis. But it will be more work with, as I said, less rewarding results.
I guess you’re concerned that bad actors will gain access to your PAT from SonarCloud to maliciously perform “a number of things in devops”?
It do work, but can sonarcloud still act as a quality gate? Or is the PAT needed for that? PR comments we can do without.
Hi!
Exactly, that’s what we are concerned about! We talked to a representive from microsoft about it and they told us that we should avoid PAT based solutions if we could.
Also it forces us to issue tokens for individual developers which feels wierd and hard to overlook. A general admin account to issue them is not really an option.
SonarCloud will always* calculate your Quality Gate status. But if you want that status reflected back into your DevOps Platform, then SonarCloud will need permissions to do that reflection/updating. So for that, it needs a PAT.
And I will ping the team with your concerns about a PAT-based solution. Thanks for providing explicit details of your concerns.
Hello Ann, you’ve pinged the team a year ago. Is there anything on the roadmap for PAT-less integration with Azure DevOps? We are prohibited by our CISO to use PATs. So if this goes on like this, we’ll have to look at other solutions unfortunately.
Hi, I know I’m resurrecting an old thread here, but as there doesn’t seem to be much movement on this issue I’m trying to find other ways to get around the PAT limitations. I guess Service principal authentication from Sonarcloud into Azure Devops (which would be the most convenient and conventional way to authenticate IMHO) is not possible at this time. Is there a way to get around via API’s? I’ve tried to retrieve the settings via their API endpoint, but I couldn’t find the setting containing the PAT - or allowing to change it.