Doc Update: SonarScanner for Maven DOES NOT automatically picks SONAR_TOKEN from the environment

Hi Sonar Team,

We are using SonarCloud for our maven project in Github Actions CI. It seems like that the sonarscanner-for-maven documentation is not quite right.

The docs says:

The SonarScanner for Maven automatically picks up the value directly from the environment variable. If you use an environment variable, it is not necessary to pass the token on the mvn command line.

However, this is not case. We had to explicitly pass SONAR_TOKEN in sonar.login property as part of maven cli parameters. Even through, SONAR_TOKEN is configured in the repo secrets. Also, properties like sonar.organization, sonar.projectKey and are part of pom.xml.

mvn compile org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}

The above command works without complaining about SONAR_TOKEN.

If SONAR_TOKEN is not passed explicitly, we get the following error:

[INFO] ------------------------------------------------------------------------
Error:  Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin: (default-cli) on project scheduler: Project not found. Please check the ‘sonar.projectKey’ and ‘sonar.organization’ properties, the ‘SONAR_TOKEN’ environment variable, or contact the project administrator -> [Help 1]

Fix here → PR:

May be there is a need to update the documentation.



Arsalan Khan

Hey there.

I can promise you it should work that way (and in most cases does). Here it is working that way in a test project of mine.

In my personal organization, only Owners are allowed to execute analysis. So I know the token is being used if analysis is executing.

If I run an env in my action I can see the redacted environment variables are available. You can see that on a dummy PR here

    JAVA_HOME_11.0.15_x64: /opt/hostedtoolcache/jdk/11.0.15/x64
    JAVA_HOME: /opt/hostedtoolcache/jdk/11.0.15/x64
    JAVA_HOME_11_0_15_X64: /opt/hostedtoolcache/jdk/11.0.15/x64
    SONAR_TOKEN: ***

How does it look for you if you run such a command? Are the environment variables actually making it to the job when you don’t specify -Dsonar.login=${{ secrets.SONAR_TOKEN }}?

Hi Colin,

In the attached PR(above), I have linked the failed Sonar job which does not have the SONAR_TOKEN passed as env. Here is the output of the github action

Run pushd src/scheduler
    mvn --no-transfer-progress compile spotbugs:spotbugs org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
  shell: /usr/bin/bash -e {0}
    JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.15-10/x64

Also, I tried to create a test test-PR to print out SONAR_TOKEN and it worked. The issue was also sporadic (happened at different intervals).Additionally, we have atleast 10 failed sonar jobs which had the above mentioned issue.

Here are the failed jobs → Head to sonar-cloud job

By the way, I do have admin rights to run github actions.


Hey @asalan316

What I’m suggesting is that you check the env output on a build where you haven’t added -Dsonar.login=${{ secrets.SONAR_TOKEN }} to the scanner command. I couldn’t find a run where this was tried (please let me know if I missed it).