Is it possible to configure SonarQube to work with a read-only Azure DevOps access token?

Hi everyone,

I’m currently working on integrating SonarQube with Azure DevOps, and I’m wondering if anyone has experience configuring it to work with a read-only access token? Our security policy restricts us from granting write access, so we’re hoping to limit permissions to just what’s necessary.

Has anyone successfully set this up, or are there any known limitations or workarounds? Any insights or advice would be greatly appreciated!

We are using SonarQube Version 9.9 (build 65466) on premise.

Thanks in advance!

Hey there.

Which edition of SonarQube are you using?

SonarQube needs an appropriately scoped token (with read/write permissions) in order to decorate Pull Requests (with comments, and with a status check indicating whether or not the Quality Gate succeeded or not). These are key features of the Developer Edition of SonarQube.

That does not answer my Question.
I asked specifically not to have a token with a write permission.
secondly I wrote “we are using SonarQube Version 9.9 (build 65466) on premise”

That’s the version – that isn’t the edition (Community / Developer / Enterprise / Data Center).

Right, my bad. we are currently using the Developer Edition.

Thanks!

You can configure a Read-only token (we don’t check the permissions in SonarQube v9.9), but you won’t be able to decorate pull requests in Azure DevOps, a key feature of Developer Edition. We can’t decorate pull requests with a read-only token because… commenting on a pull-request isn’t a read-only action. It is a write action.

1 Like