Our IT department has a policy to rotate all API keys on a given frequency and we recently noticed that the badge urls for the private repos (projects) have a token in them. What little documentation there is appears to indicate this is an API key that lets the badge look into the private repo (project) and get the stats back out again. We are using SonarCloud.io for hosting.
I am trying to figure out how to rotate that token to bring it in line with our IT security policy.
I submitted a request via the contact form and was redirected here by the person who answered.
SonarCloud tokens are associated to users and allows act like them. You can check created tokens at your account security. It is also possible to manage them using our API.
As i mentioned, they need to be managed by the user that created them. SonarCloud create them automatically for you when required (like when your decide to scan it manually or when you generate a badge URL for a private project). So you need to know which user created these tokens you want to rotate. I think a good approach is to have a dedicated user for these tokens, which will make easier to rotate later (you can also give restricted permissions to this user).
This is a reasonable request. I have raised a ticket for it.
While I appreciate the importance of complying to your policies, I think it is quite low risk so it may take time to find delivery slot.
SonarQube 9.2 has the following message, along with a “Renew Token” button:
Project badges can expose your security rating and other measures. Only use project badges in trusted environments. If your project badge security token has leaked to an unsafe environment, you can renew it
The token is the same regardless of the badge, so the risk is that you may expose:
The number of Bugs, Code Smells, Lines of Code, and Vulnerabilities
The percentage of Code coverage and Duplicated lines of code
The Quality Gate status, Reliability rating, and Security rating
The amount of Technical Debt
Are there any other permissions tied to the token @Mark_Clements ?
Alternatively would be good to be able to get (and regenerate) the badge token via an api. Looks like it is currently available on /api/component but that doesn’t appear to be an official supported api endpoint
For everyone that is looking for an automation solution for this, it seems to be possible to get the token using undocumented APIs that can be seen in action by looking at the UI workflows. Here is a small python snippet that will give you a badge token from the api/navigation/component endpoint