Environment Details:

• ALM used: GitHub
• CI system used: Azure DevOps
• Languages of the repository: C#

Our IT department has a policy to rotate all API keys on a given frequency and we recently noticed that the badge urls for the private repos (projects) have a token in them. What little documentation there is appears to indicate this is an API key that lets the badge look into the private repo (project) and get the stats back out again. We are using SonarCloud.io for hosting.

I am trying to figure out how to rotate that token to bring it in line with our IT security policy.

I submitted a request via the contact form and was redirected here by the person who answered.

Thanks for your time.

Hello @klaverty and welcome to our Community!

SonarCloud tokens are associated to users and allows act like them. You can check created tokens at your account security. It is also possible to manage them using our API.

As i mentioned, they need to be managed by the user that created them. SonarCloud create them automatically for you when required (like when your decide to scan it manually or when you generate a badge URL for a private project). So you need to know which user created these tokens you want to rotate. I think a good approach is to have a dedicated user for these tokens, which will make easier to rotate later (you can also give restricted permissions to this user).

Hello, @Alexandre_Holzhey,

I think there was a miscommunication in my posting. In sonarcloud.io, under your repo, there is a “Get project badges” button. In there there are links to badges to show in readmes such as this link:
[](https://sonarcloud.io/dashboard?id=[project name])

These tokens are fixed per project and there is no spot in the UI to change them. They are not tied to a specific user.

Hello @klaverty,

This is a reasonable request. I have raised a ticket for it.
While I appreciate the importance of complying to your policies, I think it is quite low risk so it may take time to find delivery slot.

SonarQube 9.2 has the following message, along with a “Renew Token” button:

Project badges can expose your security rating and other measures. Only use project badges in trusted environments. If your project badge security token has leaked to an unsafe environment, you can renew it

The token is the same regardless of the badge, so the risk is that you may expose:

• The number of Bugs, Code Smells, Lines of Code, and Vulnerabilities
• The percentage of Code coverage and Duplicated lines of code
• The Quality Gate status, Reliability rating, and Security rating
• The amount of Technical Debt

Are there any other permissions tied to the token @Mark_Clements ?

Hi Testworksau,

SonarQube 9.2 has the following message, along with a “Renew Token” button:

Yes, the renew token function has now been added to SonarQube! SonarCloud will follow.

This token of solely for the badges and any information made available as badges.

Regards,
Mark

Hi, When can we expect /api/project_badges/token endpoint in https://sonarcloud.io/api?

We are waiting for this feature as well. Additionally it would be great to get the badge_url via API as well and not only the SVG.

Alternatively would be good to be able to get (and regenerate) the badge token via an api. Looks like it is currently available on /api/component but that doesn’t appear to be an official supported api endpoint

For everyone that is looking for an automation solution for this, it seems to be possible to get the token using undocumented APIs that can be seen in action by looking at the UI workflows. Here is a small python snippet that will give you a badge token from the api/navigation/component endpoint

import requests
import requests
import urllib.parse

def get_sonar_badge_token(sonar_url, sonar_api_token, project_key):
      url = f'{sonar_url}/api/navigation/component?component={urllib.parse.quote(project_key)}'
      response = requests.get(url, auth=(sonar_api_token, ''))
      response.raise_for_status()
      return response.json()['badgeToken']