Getting 403 when github action tries to run sonar analysis

dcastillo-sbg · July 11, 2025, 2:33pm

ALM used (GitHub, Bitbucket Cloud, Azure DevOps)
CI system used (Bitbucket Cloud, Azure DevOps, Travis CI, Circle CI
Scanner command used when applicable (private details masked)
args=(-X -Dsonar.organization=sbg-funding -Dsonar.projectKey=Email-Automation-Service -Dsonar.scanner.skipJreProvisioning=true -Dsonar.sourceEncoding=UTF-8 -Dsonar.pullrequest.key=222 -Dsonar.pullrequest.branch=EA-229-AddSonarQubeTestCoverage -Dsonar.pullrequest.base=development -Dsonar.pullrequest.provider=github -Dsonar.pullrequest.github.repository=Email-Automation-Service)
Languages of the repository
C#
Error observed (wrap logs/code around with triple quotes ``` for proper formatting)

Caused by: org.sonarsource.scanner.lib.internal.http.HttpException: GET https://api.sonarcloud.io/analysis/engine failed with HTTP 403
{"Message":"User is not authorized to access this resource with an explicit deny"}

Steps to reproduce
when running the the github action to perform the sonar analysis

ganncamp · July 11, 2025, 3:44pm

Hi,

Welcome to the community and thanks for this report!

Could we have the full log, starting from the analysis command?

Your pipeline configuration would be helpful as well.

Thx,
Ann

dcastillo-sbg · July 11, 2025, 3:47pm

Hi G Ann, this is the log

Run args=(-X -Dsonar.organization=sbg-funding -Dsonar.projectKey=SBG-Funding_Email-Automation-Service -Dsonar.scanner.skipJreProvisioning=true -Dsonar.sourceEncoding=UTF-8 -Dsonar.pullrequest.key=222 -Dsonar.pullrequest.branch=EA-229-AddSonarQubeTestCoverage -Dsonar.pullrequest.base=development -Dsonar.pullrequest.provider=github -Dsonar.pullrequest.github.repository=SBG-Funding/Email-Automation-Service)
+ sonar-scanner -Dsonar.projectBaseDir=services/_main/src/src -X -Dsonar.organization=sbg-funding -Dsonar.projectKey=SBG-Funding_Email-Automation-Service -Dsonar.scanner.skipJreProvisioning=true -Dsonar.sourceEncoding=UTF-8 -Dsonar.pullrequest.key=222 -Dsonar.pullrequest.branch=EA-229-AddSonarQubeTestCoverage -Dsonar.pullrequest.base=development -Dsonar.pullrequest.provider=github -Dsonar.pullrequest.github.repository=SBG-Funding/Email-Automation-Service
21:14:40.088 INFO  Scanner configuration file: /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/conf/sonar-scanner.properties
21:14:40.093 INFO  Project root configuration file: /home/runner/work/Email-Automation-Service/Email-Automation-Service/services/_main/src/src/sonar-project.properties
21:14:40.115 INFO  SonarScanner CLI 7.1.0.4889
21:14:40.118 INFO  Java 17.0.13 Eclipse Adoptium (64-bit)
21:14:40.119 INFO  Linux 6.8.0-1030-azure amd64
21:14:40.128 DEBUG Scanner max available memory: 1 GB
21:14:40.155 DEBUG uname -m returned 'x86_64'
21:14:40.157 DEBUG Using JVM default truststore: /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/lib/security/cacerts
21:14:40.159 DEBUG Create: /home/runner/.sonar/cache
21:14:40.161 INFO  User cache: /home/runner/.sonar/cache
21:14:40.161 DEBUG Create: /home/runner/.sonar/cache/_tmp
21:14:40.291 DEBUG Loading OS trusted SSL certificates...
21:14:40.292 DEBUG This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
21:14:40.633 DEBUG Loaded [440] system trusted certificates
21:14:40.902 DEBUG Loaded truststore from '/home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/lib/security/cacerts' containing 152 certificates
21:14:41.078 INFO  Communicating with SonarQube Cloud
21:14:41.079 INFO  JRE provisioning is disabled
21:14:41.079 INFO  Using the java executable '/home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/bin/java' from JAVA_HOME
21:14:41.080 DEBUG Executing: /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/bin/java --version
21:14:41.116 DEBUG openjdk 17.0.13 2024-10-15
21:14:41.117 DEBUG OpenJDK Runtime Environment Temurin-17.0.13+11 (build 17.0.13+11)
21:14:41.118 DEBUG OpenJDK 64-Bit Server VM Temurin-17.0.13+11 (build 17.0.13+11, mixed mode, sharing)
21:14:41.164 DEBUG --> GET https://api.sonarcloud.io/analysis/engine
21:14:41.563 DEBUG <-- 403 https://api.sonarcloud.io/analysis/engine (397ms, 82-byte body)
21:14:41.570 INFO  EXECUTION FAILURE
21:14:41.571 INFO  Total time: 1.487s
21:14:41.571 ERROR Error during SonarScanner CLI execution
java.lang.IllegalStateException: Failed to get the scanner-engine metadata
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.getScannerEngineMetadata(ScannerEngineLauncherFactory.java:84)
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.getScannerEngine(ScannerEngineLauncherFactory.java:66)
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:56)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.buildNewFacade(ScannerEngineBootstrapper.java:197)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrapCloud(ScannerEngineBootstrapper.java:162)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:149)
	at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
	at org.sonarsource.scanner.cli.Main.main(Main.java:64)
Caused by: org.sonarsource.scanner.lib.internal.http.HttpException: GET https://api.sonarcloud.io/analysis/engine failed with HTTP 403
{"Message":"User is not authorized to access this resource with an explicit deny"}
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:137)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:121)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callRestApi(ScannerHttpClient.java:103)
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.getScannerEngineMetadata(ScannerEngineLauncherFactory.java:81)
	... 7 common frames omitted

and this is the github action:

name: 'SonarCloud Scan'
description: 'Runs SonarCloud analysis and uploads results'

inputs:
  project-base-dir:
    required: true
    type: string
    description: 'Base directory for the project to scan'
  sonar-token:
    required: true
    type: string
    description: 'SonarCloud authentication token'
  pull-request-key:
    required: false
    type: string
    description: 'Pull request number (for PR analysis)'
  pull-request-branch:
    required: false
    type: string
    description: 'Pull request branch name'
  pull-request-base:
    required: false
    type: string
    description: 'Pull request base branch name'
  github-repository:
    required: false
    type: string
    description: 'GitHub repository name (format: owner/repo)'
  sonar-organization:
    required: false
    type: string
    default: 'sbg-funding'
    description: 'SonarCloud organization name'
  sonar-project-key:
    required: false
    type: string
    default: 'SBG-Funding_Email-Automation-Service'
    description: 'SonarCloud project key'
  verbose:
    required: false
    type: boolean
    default: true
    description: 'Enable verbose output for debugging'

runs:
  using: "composite"
  steps:
    - name: Debug SonarCloud Inputs
      shell: bash
      run: |
        echo "=== SonarCloud Scan Debug ==="
        echo "Project base dir: ${{ inputs.project-base-dir }}"
        echo "Sonar token provided: ${{ inputs.sonar-token != '' && 'YES' || 'NO' }}"
        echo "Pull request key: ${{ inputs.pull-request-key || 'NOT PROVIDED' }}"
        echo "GitHub repository: ${{ inputs.github-repository || 'NOT PROVIDED' }}"
        echo "Sonar organization: ${{ inputs.sonar-organization }}"
        echo "Sonar project key: ${{ inputs.sonar-project-key }}"
        echo "Verbose mode: ${{ inputs.verbose }}"
        echo "=== End Debug ==="

    - name: SonarCloud Scan
      uses: SonarSource/sonarqube-scan-action@v5.2.0
      env:
        SONAR_TOKEN: ${{ inputs.sonar-token }}
      with:
        projectBaseDir: ${{ inputs.project-base-dir }}
        args: >
          ${{ inputs.verbose && '-X' || '' }}
          -Dsonar.organization=${{ inputs.sonar-organization }}
          -Dsonar.projectKey=${{ inputs.sonar-project-key }}
          -Dsonar.scanner.skipJreProvisioning=true
          -Dsonar.sourceEncoding=UTF-8
          ${{ inputs.pull-request-key && format('-Dsonar.pullrequest.key={0}', inputs.pull-request-key) || '' }}
          ${{ inputs.pull-request-branch && format('-Dsonar.pullrequest.branch={0}', inputs.pull-request-branch) || '' }}
          ${{ inputs.pull-request-base && format('-Dsonar.pullrequest.base={0}', inputs.pull-request-base) || '' }}
          ${{ inputs.pull-request-key && '-Dsonar.pullrequest.provider=github' || '' }}
          ${{ inputs.github-repository && format('-Dsonar.pullrequest.github.repository={0}', inputs.github-repository) || '' }}

thanks for any help in advance

ganncamp · July 11, 2025, 4:32pm

Hi,

Thanks for the log & configuration.

Tell me about the user account your analysis token came from. And could this be relevant:

Also, is this a change from previous behavior? And if so, when did it start?

Thx,
Ann

dcastillo-sbg · July 11, 2025, 4:40pm

I’m trying to create this for the first time, I see those posts but my user is admin and has all the permissions checked, Administer Organization, Administer, Execute Analysis and Create but not sure why it would keeping rejecting saying it’s 403 forbidden

ganncamp · July 11, 2025, 5:08pm

Hi,

Could you check the permissions at the project level and make sure the user is explicitly granted Browse and Execute Analysis there?

Thx,
Ann

dcastillo-sbg · July 11, 2025, 6:28pm

I checked and the user has all permissions for the project

ganncamp · July 11, 2025, 6:45pm

Hi,

Can you try generating & using a new token from that user account?

Thx,
Ann

dcastillo-sbg · July 11, 2025, 8:00pm

Hi G Ann, I tried again using a new token, but still getting the same error message:

Caused by: org.sonarsource.scanner.lib.internal.http.HttpException: GET https://api.sonarcloud.io/analysis/engine failed with HTTP 403
{"Message":"User is not authorized to access this resource with an explicit deny"}```

do you think it could be github blocking sonar cloud scanner? or something similar?

ganncamp · July 14, 2025, 11:26am

Hi,

Thanks for trying that. I’m not sure where to go from here, so I’m going to flag this for more expert eyes.

Ann

dcastillo-sbg · July 14, 2025, 1:49pm

Thanks for all your support, this issue it’s weird, I would appreciate any help

dcastillo-sbg · July 21, 2025, 1:04pm

Hi G Ann, how are you? do you know if someone else has been able to take a look to this case? do you know if there are other channels to handle this issue? maybe sonnarQube support?

ganncamp · July 21, 2025, 1:07pm

Hi,

As I said, I’ve flagged this for the experts. Hopefully they’ll be along soon.

Ann

dcastillo-sbg · July 21, 2025, 1:44pm

thanks G Ann

Claire_Villard · August 8, 2025, 12:46pm

Hi @dcastillo-sbg

All my apologies for the delay for this response.

I notice that in your pipeline, the SONAR_TOKEN environment variable is set with this:

SONAR_TOKEN: ${{ inputs.sonar-token }}

The Sonar Token is a sensitive token, therefore it must be configured in the repository Secrets.

It can be accessed in the pipeline like this: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Note the secrets. prefix instead of inputs.. Could you try to change your pipeline to use secrets.sonar-token?

Hope that helps,

Claire

dcastillo-sbg · August 8, 2025, 2:25pm

Hi Claire, thanks for helping me with this, I tried what you mentioned but got the following error:

Run SonarSource/sonarqube-scan-action@v5.2.0
Run ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
Run actions/cache@v4
Cache not found for input keys: sonar-scanner-cli-7.1.0.4889-Linux-X64
Run ${GITHUB_ACTION_PATH}/scripts/install-sonar-scanner-cli.sh
+ mkdir -p /home/runner/work/_temp/sonarscanner
+ cd /home/runner/work/_temp/sonarscanner
+ SCANNER_FILE_NAME=sonar-scanner-cli-7.1.0.4889-linux-x64.zip
+ SCANNER_URI=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
+ command -v wget
+ wget --no-verbose --user-agent=sonarqube-scan-action https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
2025-08-08 14:16:31 URL:https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip [57695943/57695943] -> "sonar-scanner-cli-7.1.0.4889-linux-x64.zip" [1]
+ unzip -q -o sonar-scanner-cli-7.1.0.4889-linux-x64.zip
+ SCANNER_UNZIP_FOLDER=sonar-scanner-7.1.0.4889-linux-x64
+ SCANNER_LOCAL_FOLDER=/home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64
+ '[' -d /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64 ']'
+ mv -f sonar-scanner-7.1.0.4889-linux-x64 /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64
Run echo "${RUNNER_TEMP}/sonar-scanner-cli-7.1.0.4889-Linux-X64/bin" >> $GITHUB_PATH
Run args=(-X -Dsonar.organization=sbg-funding -Dsonar.projectKey=SBG-Funding_Email-Automation-Service -Dsonar.scanner.skipJreProvisioning=true -Dsonar.sourceEncoding=UTF-8 -Dsonar.pullrequest.key=222 -Dsonar.pullrequest.branch=EA-229-AddSonarQubeTestCoverage -Dsonar.pullrequest.base=development -Dsonar.pullrequest.provider=github -Dsonar.pullrequest.github.repository=SBG-Funding/Email-Automation-Service
+ sonar-scanner -Dsonar.projectBaseDir=services/_main/src/src -X -Dsonar.organization=sbg-funding -Dsonar.projectKey=SBG-Funding_Email-Automation-Service -Dsonar.scanner.skipJreProvisioning=true -Dsonar.sourceEncoding=UTF-8 -Dsonar.pullrequest.key=222 -Dsonar.pullrequest.branch=EA-229-AddSonarQubeTestCoverage -Dsonar.pullrequest.base=development -Dsonar.pullrequest.provider=github -Dsonar.pullrequest.github.repository=SBG-Funding/Email-Automation-Service
14:16:33.467 INFO  Scanner configuration file: /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/conf/sonar-scanner.properties
14:16:33.472 INFO  Project root configuration file: /home/runner/work/Email-Automation-Service/Email-Automation-Service/services/_main/src/src/sonar-project.properties
14:16:33.491 INFO  SonarScanner CLI 7.1.0.4889
14:16:33.493 INFO  Java 17.0.13 Eclipse Adoptium (64-bit)
14:16:33.493 INFO  Linux 6.8.0-1031-azure amd64
14:16:33.502 DEBUG Scanner max available memory: 1 GB
14:16:33.524 DEBUG uname -m returned 'x86_64'
14:16:33.527 DEBUG Using JVM default truststore: /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/lib/security/cacerts
14:16:33.528 DEBUG Create: /home/runner/.sonar/cache
14:16:33.529 INFO  User cache: /home/runner/.sonar/cache
14:16:33.529 DEBUG Create: /home/runner/.sonar/cache/_tmp
14:16:33.672 DEBUG Loading OS trusted SSL certificates...
14:16:33.673 DEBUG This operation might be slow or even get stuck. You can skip it by passing the scanner property 'sonar.scanner.skipSystemTruststore=true'
14:16:34.012 DEBUG Loaded [440] system trusted certificates
14:16:34.288 DEBUG Loaded truststore from '/home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/lib/security/cacerts' containing 152 certificates
14:16:34.475 INFO  Communicating with SonarQube Cloud
14:16:34.476 INFO  JRE provisioning is disabled
14:16:34.479 INFO  Using the java executable '/home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/bin/java' from JAVA_HOME
14:16:34.481 DEBUG Executing: /home/runner/work/_temp/sonar-scanner-cli-7.1.0.4889-Linux-X64/jre/bin/java --version
14:16:34.517 DEBUG openjdk 17.0.13 2024-10-15
14:16:34.518 DEBUG OpenJDK Runtime Environment Temurin-17.0.13+11 (build 17.0.13+11)
14:16:34.518 DEBUG OpenJDK 64-Bit Server VM Temurin-17.0.13+11 (build 17.0.13+11, mixed mode, sharing)
14:16:34.562 DEBUG --> GET https://api.sonarcloud.io/analysis/engine
14:16:34.964 DEBUG <-- 403 https://api.sonarcloud.io/analysis/engine (401ms, 82-byte body)
14:16:34.971 INFO  EXECUTION FAILURE
14:16:34.972 INFO  Total time: 1.508s
14:16:34.972 ERROR Error during SonarScanner CLI execution
java.lang.IllegalStateException: Failed to get the scanner-engine metadata
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.getScannerEngineMetadata(ScannerEngineLauncherFactory.java:84)
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.getScannerEngine(ScannerEngineLauncherFactory.java:66)
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.createLauncher(ScannerEngineLauncherFactory.java:56)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.buildNewFacade(ScannerEngineBootstrapper.java:197)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrapCloud(ScannerEngineBootstrapper.java:162)
	at org.sonarsource.scanner.lib.ScannerEngineBootstrapper.bootstrap(ScannerEngineBootstrapper.java:149)
	at org.sonarsource.scanner.cli.Main.analyze(Main.java:76)
	at org.sonarsource.scanner.cli.Main.main(Main.java:64)
Caused by: org.sonarsource.scanner.lib.internal.http.HttpException: GET https://api.sonarcloud.io/analysis/engine failed with HTTP 403
{"Message":"User is not authorized to access this resource with an explicit deny"}
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callUrl(ScannerHttpClient.java:137)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callApi(ScannerHttpClient.java:121)
	at org.sonarsource.scanner.lib.internal.http.ScannerHttpClient.callRestApi(ScannerHttpClient.java:103)
	at org.sonarsource.scanner.lib.internal.facade.forked.ScannerEngineLauncherFactory.getScannerEngineMetadata(ScannerEngineLauncherFactory.java:81)
	... 7 common frames omitted

I created a new secret from Security section in sonarQube, then updated it in github secrets.
This is how the pipeline is looking now:

name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@v5.2.0
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
projectBaseDir: ${{ env.PROJECT_DIRECTORY }}/src/src
args: >
-X
-Dsonar.organization=sbg-funding
-Dsonar.projectKey=SBG-Funding_Email-Automation-Service
-Dsonar.scanner.skipJreProvisioning=true
-Dsonar.sourceEncoding=UTF-8
${{ github.event.number && format(‘-Dsonar.pullrequest.key={0}’, github.event.number) || ‘’ }}
${{ github.head_ref && format(‘-Dsonar.pullrequest.branch={0}’, github.head_ref) || ‘’ }}
${{ github.base_ref && format(‘-Dsonar.pullrequest.base={0}’, github.base_ref) || ‘’ }}
${{ github.event.number && ‘-Dsonar.pullrequest.provider=github’ || ‘’ }}
${{ github.repository && format(‘-Dsonar.pullrequest.github.repository={0}’, github.repository) || ‘’ }}

Claire_Villard · August 11, 2025, 6:44am

Could you try to run the Sonar Scanner from your local computer using the same token?
You can go to your project Administration menu → Analysis method, and select the “Manually” box at the bottom right and follow the instructions to set it up.

If you get the same error, it means there is an issue with your token and/or the permissions of the associated user. If you don’t, it means the issue is in the pipeline configuration.

Best,

dcastillo-sbg · August 12, 2025, 9:50pm

Hi Claire, I was able to debug/fix the issue using your alternative, the pipeline was referencing the wrong token, thanks for the help and support

Claire_Villard · August 13, 2025, 7:11am

Thanks for getting back to me, I’m happy that the issue is solved!

Topic		Replies	Views
GitHub sonar analysis failing after analise - POST 403 SonarQube Cloud github-actions	2	1557	February 5, 2020
SonarSource/sonarqube-scan-action@v4 fails with 403 SonarQube Cloud coverage , github-actions	2	78	February 24, 2025
Sonar-scanner works locally but fails in github action SonarQube Server / Community Build scanner , github-actions	8	1996	May 26, 2023
SonarSource/sonarcloud-github-action 403 SonarQube Cloud github-actions	2	109	October 24, 2024
Github Actions. Public repo. You’re not authorized to run analysis SonarQube Cloud iam , sonarqube-cloud	5	1760	November 26, 2021

Getting 403 when github action tries to run sonar analysis

Related topics