Configure PullRequest without use of token

Looking at the PullRequest feature using AzureDevOps and it bothers me that I have to provide an access token that has Write Access to our source code. From a security perspective I have a hard time to justify this feature by providing this access.

Is there a way that the build pipeline in AzureDevOps can update the PullRequest by not having this async callback from sonarcloud?

Regards,
Mikkel

Hi @Mikkel,

Short response : no, this is not possible.

Longer response : PR decoration is at the heart of the SonarCloud experience with Azure DevOps (and other ALMs too), that means particulary, if we remove or make it possible to disable it, there’s less and less added-value we can provide.
I think you can only blame Microsoft for this, as, to be transparent, we use their API in order to decorate the Pull Request, and, one amongst others, this one : https://docs.microsoft.com/en-us/rest/api/azure/devops/git/pull%20request%20threads/create?view=azure-devops-rest-5.1#security
which as you can see requires the code_write scope to be performed. i don’t really know how it works under the hood and why we need this scope, but we don’t have a choice here.

HTH,
Mickaël

1 Like

Hi Mickaël

Thank you for the reply and explanation

Regards,
Mikkel

1 Like