Bitbucket and SonarCloud -- Cannot View Repos in read-only workspaces

I saw this, which is highly relevant, as I’m having the same issue:

However, unlike the user there, I do not have the ability to reconfigure bitbucket, or connect with SonarCloud using the owner of the workspace for the repos I need to access.

In BitBucket, I only have read-only access to repositories in a workspace owned by another user/administrator. These repositories do not show up in SonarCloud. Only repositories under my personal BitBucket workspace appear in SonarCloud.

From a security perspective, we ONLY want SonarCloud to access our repositories in a read-only capacity – not connected via an administrative account. It seems irresponsible/insecure to require admin privileges to simply audit code.

Is it possible to setup SonarCloud under this context? Basically, to connect SonarCloud to an account which has read-only access to another user’s repos/workspace.

Hi,

You can only import project for which you have admin permissions. That does not mean we ask for admin access to your project, we simply verify that you are admin on the project.

This is the case. All communications between SonarCloud and bitbucket are made with the SonarCloud BBC App which only required read-only access. We don’t use the user personal token to call the BBC API.

HTH,
Benoit

Hi Benoit,

From a security/compliance perspective, there is no way for us to verify that SonarCloud restricts permissions if you are requiring an admin account. If you only require read-only access, why do you then require an admin account to connect? It defies logic. You need to adhere to the principle of least privilege.

Enterprises and security-conscious organizations will approach it my way by default unless they have poor security practices. Mine is the perfect use case – setting up a read-only service account specific for SonarCloud; or setting up a read-only audit account. As it is, I can’t proceed with using this tool, nor can I, in good faith, suggest its use to any of my enterprise customers.

Can you please open a feature request to enable read-only accounts have the capability to audit code to which they have access?

Also, the BitBucket onboarding guide is not very clear. Assuming we use an administrator account (I’ll have to mirror the repository for testing…), do I also need to install the SonarCloud BBC App within BitBucket? So I’ll need an admin account on BitBucket? This seems overly complicated when all I want to do is run a point-in-time static code analysis without pipeline integration. Essentially, it’s impossible for a security developer to even attempt to get started with your tools without involving the admin for BitBucket and the admin over the workspace?

Thank you,
Michael

Hi @mgoodman-athenorm,

When users create organizations and repositories on SonarCloud, they are administrators of those. Administrators have specific rights, such as managing members and permissions, quality profiles and so on, which are typically administrators job.

We don’t want users with only read-only access to be able to create and administrate SonarCloud projects for workspaces and repositories that they are not admin of. One risk could be to expose code that is sensible.

We recommend to launch analysis inside a pipeline integration to follow the Clean As You Code and shift-left approach.
You can try it by connecting to SonarCloud with your BitBucketCloud account, and then you will be guided inside the product to set up the analysis for the repositories. If you don’t have a pipeline yet, you can try it with a bitbucket pipelines, this is pretty straightforward, and detailed in the tutorial.
And yes, you’ll have to be an admin of the Bitbucket workspace and repositories.

Otherwise you can create a manual project and launch analysis manually, but it’s only for testing purposes, SonarCloud is not designed for that. Configuration will be much complicated for features like PR decoration.

From what I read in your posts, you seem to correspond to a different profile that the ones we support right now. Could you please detail your profile, context, and your goal. If you prefer, we can exchange in private messages.
That will help us evaluate your use case.

Thanks.

Aurelie,

I think you’re a bit confused about what I’m asking.

I was attempting to setup a paid SonarCloud account (in which I would be a SonarCloud administrator leveraging a read-only BitBucket account). This setup adheres to the principle of least privilege. I am not complaining about not being able to add a bitbutcket account via a read-only sonarcloud account. Of course read-only sonarcloud accounts should not be able to add projects.

And yes, I agree with the need to shift left, but I also believe that it should be up to organizations to do so. Further, my request is in line with shifting left. A pipeline could very easily leverage a read-only bitbucket account and require successful messages from SonarCloud.

There is literally no reason for SonarCloud to require admin access to BitBucket. SonarCloud will not need to modify or commit code, push updates, etc. and therefore it should not require such extensive permissions.

(Also @aurelie – I don’t see where I can send you a private message)