Weâre thrilled to announce that Scoped Organization Tokens can now be created for ALL current and future projects within an organization! This change makes the analysis automation much easier and more seamless as it removes the need to create a different token whenever a new project is onboarded.
You can also edit previously created tokens allowing to add or remove projects from the scope.
As usual, please feel free to share your feedback so that we continue improving our solution.
Hello! This new feature is greatly appreciated, and very well timed as well: the user who our current token belongs to just left the company, so I can now use a proper scoped token instead of my own (whichâll break again in the future when I leave).
Itâs working well for main branch scans, however when itâs kicked off as part of a GitHub pull request itâs erroring out in the end task:
20:59:41.09 INFO: Github event: pull_request
20:59:41.107 INFO: Auto-configuring pull request 123
20:59:41.307 ERROR: Could not find the pullrequest with key â123â
20:59:41.637 The scanner engine did not complete successfully
20:59:41.637 Post-processing failed. Exit code: 1
That PR exists, and changing the token to my personal one causes it to work. Seems strange this scenario wouldnât be supported since this new feature was specifically created for automated CI/CD scenarios like this. Anything Iâm missing?
Thank you for the report! We confirmed there is an edge case for GitHub PRs analysis which makes them fail. We are actively working on resolution and the fix should be deployed early this week. Weâll update the thread.
I have a similar issue to the one that Matthew reported.
When running our build with -Dsonar.qualitygate.wait=truethis new token scoped to âall current and futureâ projects fails
Using a private token works, and using a token scoped to the specific project works.
Output of relevant lines from a run of mvn sonar:sonar -Dsonar.qualitygate.wait=true below. As you can see, there is a 404 response on the /qualitygate api call that responds with Project doesnât exist. The resource is available using personal token as mentioned above.
[INFO] 11:30:04.760 ------------- Check Quality Gate status
[INFO] 11:30:04.761 Waiting for the analysis report to be processed (max 300s)
[DEBUG] 11:30:04.762 --> GET https://sonarcloud.io/api/ce/task?id=AZq_to_sEHb2llGV9_SN
[DEBUG] 11:30:05.054 <-- 200 https://sonarcloud.io/api/ce/task?id=AZq_to_sEHb2llGV9_SN (291ms, 183-byte body)
[DEBUG] 11:30:10.065 --> GET https://sonarcloud.io/api/ce/task?id=AZq_to_sEHb2llGV9_SN
[DEBUG] 11:30:10.283 <-- 200 https://sonarcloud.io/api/ce/task?id=AZq_to_sEHb2llGV9_SN (217ms, 253-byte body)
[DEBUG] 11:30:10.284 --> GET https://sonarcloud.io/api/qualitygates/project_status?analysisId=6e82d632-80e4-424b-91c1-e3296b109858
[DEBUG] 11:30:10.433 <-- 404 https://sonarcloud.io/api/qualitygates/project_status?analysisId=6e82d632-80e4-424b-91c1-e3296b109858 (148ms, unknown-length body)
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for ....
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 31.403 s
[INFO] Finished at: 2025-11-26T11:30:10+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121:sonar (default-cli) on project sandbox-root: Failed to get Quality Gate status - Project doesn't exist -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121:sonar (default-cli) on project sandbox-root: Failed to get Quality Gate status - Project doesn't exist
We do have a similar problem. The SOT works fine with the sonarsource/sonarqube-scan-action but fails with a 404 in the sonarsource/sonarqube-quality-gate-action. Switching back to a PAT fixes the problem.
Do SOTs not have the permissions for the quality gate yet?
Hi Nour , the current approach of Scoped ORG tokens is not good enough for us.
we dont want to setup one single token for all projects in ORG. its not good security practice.
We would like to get SOT generated automatically for individual project while we start configuring analysis ( no user bound token on analysis page). it will be only visible to an central admin page for all projects, so admin can just see it with last date of analysis for any investigation purpose. No full visibility of individual project SOT token to admin as well.
If group of team want single SOT for multiple projects (existing & new) automatically, admin should able to generate single SOT for multiple projects based on TAG as criteria. So any existing projects and new projects having an specific TAG defined by Admin as SOT_TAG , should have single SOT token automatically set.
Last one, we are okay to have âno expiryâ for SOT for proper automated process. BUT after every 3 months, token should be rotated automatically as best security practice, based on some criteria defined by admin for those individual SOT token. example. an free text based auto message generation & the deviceâs internal clock with a standard algorithm (TOTP) OR something a good secure approach for token rotation at both end (sonarcloud and application end). this is best secure approach.
Thank you @shrikantgade for your feedback, I have logged it on our side.
Scoped Organization Tokens can be scoped to a set of projects within the organization which is a significant security enhancement compared to PATs. We still have a few enhancements planned to increase security and usability such as automatic rotations and regex based assignment of tokens to projects.
Does âexpanded permissionsâ point include allowing actions other than doing analysis? Currently weâre still not able to use SOT because we not only do analysis but also query analysis results to post them into merge requests. Now SOT do not allow to do that. So, we have to revert to using personal tokens, again.
Itâs as of now. We might need to use more in future (or might not).
Thereâs another thing, however. Weâre experimenting with AI Code Reviewer by providing it with access to Sonar. Thatâs where using SOT also failed and we had to revert to personal token as well. But for this automation I cannot say which endpoints were used, because weâre not sure which endpoints AI Code Reviewer called (or would like to call in future).
