We are using sonarcloud with azure devops to analyze and act as a quality gate for our web projects.
A problem we see is that we need to give sonarcloud a PAT which in turn gives you possibilities to do a number of things in devops. Sometimes more than what we required.
Is there a way to use sonarcloud as a quality gate without issuing an access token?
Hi,
Welcome to the community!
The PAT allows SonarCloud to talk to ADO to do things like:
If you don’t want those things, it should still be possible to get by without them, but you’ll forego several of SonarCloud’s benefits.
I haven’t tested that this still works, but historically projects were configured on first analysis. But it will be more work with, as I said, less rewarding results.
I guess you’re concerned that bad actors will gain access to your PAT from SonarCloud to maliciously perform “a number of things in devops”?
Ann
Hi!
It do work, but can sonarcloud still act as a quality gate? Or is the PAT needed for that? PR comments we can do without.
Hi!
Exactly, that’s what we are concerned about! We talked to a representive from microsoft about it and they told us that we should avoid PAT based solutions if we could.
Also it forces us to issue tokens for individual developers which feels wierd and hard to overlook. A general admin account to issue them is not really an option.
Thanks for your awnser! 
Best regards
Martin
Hi,
SonarCloud will always* calculate your Quality Gate status. But if you want that status reflected back into your DevOps Platform, then SonarCloud will need permissions to do that reflection/updating. So for that, it needs a PAT.
And I will ping the team with your concerns about a PAT-based solution. Thanks for providing explicit details of your concerns.
Â
Ann
* Once your New Code Period is defined
Hello Ann, you’ve pinged the team a year ago. Is there anything on the roadmap for PAT-less integration with Azure DevOps? We are prohibited by our CISO to use PATs. So if this goes on like this, we’ll have to look at other solutions unfortunately.
Welcome to the community!
Unfortunately, I’m not aware of any movement on this topic.
Ann
Hello,
was there, perhaps any update on the topic?
Appreciate
Jan
Hi Jan,
Welcome to the community!
Sorry, no movement.
Ann
Hi, I know I’m resurrecting an old thread here, but as there doesn’t seem to be much movement on this issue I’m trying to find other ways to get around the PAT limitations. I guess Service principal authentication from Sonarcloud into Azure Devops (which would be the most convenient and conventional way to authenticate IMHO) is not possible at this time. Is there a way to get around via API’s? I’ve tried to retrieve the settings via their API endpoint, but I couldn’t find the setting containing the PAT - or allowing to change it.
Hi @Bart80,
Welcome to the community!
What you’ve asked (about tAPIs) is really a new question, and a different question deserves a new thread. But this one is pretty simple:
The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.
You may also find this guide helpful.
Ann