How to cycle token in badge url

Environment Details:

  • ALM used: GitHub
  • CI system used: Azure DevOps
  • Languages of the repository: C#

Our IT department has a policy to rotate all API keys on a given frequency and we recently noticed that the badge urls for the private repos (projects) have a token in them. What little documentation there is appears to indicate this is an API key that lets the badge look into the private repo (project) and get the stats back out again. We are using SonarCloud.io for hosting.

I am trying to figure out how to rotate that token to bring it in line with our IT security policy.

I submitted a request via the contact form and was redirected here by the person who answered.

Thanks for your time.

Hello @klaverty and welcome to our Community!

SonarCloud tokens are associated to users and allows act like them. You can check created tokens at your account security. It is also possible to manage them using our API.

As i mentioned, they need to be managed by the user that created them. SonarCloud create them automatically for you when required (like when your decide to scan it manually or when you generate a badge URL for a private project). So you need to know which user created these tokens you want to rotate. I think a good approach is to have a dedicated user for these tokens, which will make easier to rotate later (you can also give restricted permissions to this user).

Hello, @Alexandre_Holzhey,

I think there was a miscommunication in my posting. In sonarcloud.io, under your repo, there is a “Get project badges” button. In there there are links to badges to show in readmes such as this link:
[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=[project name]&metric=alert_status&token=[token])](https://sonarcloud.io/dashboard?id=[project name])

These tokens are fixed per project and there is no spot in the UI to change them. They are not tied to a specific user.

Hello @klaverty,

This is a reasonable request. I have raised a ticket for it.
While I appreciate the importance of complying to your policies, I think it is quite low risk so it may take time to find delivery slot.