Azure integration without personal access token?

We are using sonarcloud with azure devops to analyze and act as a quality gate for our web projects.

A problem we see is that we need to give sonarcloud a PAT which in turn gives you possibilities to do a number of things in devops. Sometimes more than what we required.

Is there a way to use sonarcloud as a quality gate without issuing an access token?

Hi,

Welcome to the community!

The PAT allows SonarCloud to talk to ADO to do things like:

  • import & pre-configure your projects
  • reflect PR analysis results back to your repository
  • …

If you don’t want those things, it should still be possible to get by without them, but you’ll forego several of SonarCloud’s benefits.

I haven’t tested that this still works, but historically projects were configured on first analysis. But it will be more work with, as I said, less rewarding results.

I guess you’re concerned that bad actors will gain access to your PAT from SonarCloud to maliciously perform “a number of things in devops”?

 
Ann

1 Like

Hi!

It do work, but can sonarcloud still act as a quality gate? Or is the PAT needed for that? PR comments we can do without.

Hi!

Exactly, that’s what we are concerned about! We talked to a representive from microsoft about it and they told us that we should avoid PAT based solutions if we could.

Also it forces us to issue tokens for individual developers which feels wierd and hard to overlook. A general admin account to issue them is not really an option.

Thanks for your awnser! :heart:

Best regards
Martin

Hi,

SonarCloud will always* calculate your Quality Gate status. But if you want that status reflected back into your DevOps Platform, then SonarCloud will need permissions to do that reflection/updating. So for that, it needs a PAT.

And I will ping the team with your concerns about a PAT-based solution. Thanks for providing explicit details of your concerns.

 
Ann

* Once your New Code Period is defined