Revoking SonarCloud API tokens

Is there a way to revoke all API tokens that users in our organization have issued?

1 Like

Hi @tbrownSpecialized

Unfortunately, we don’t have any option for this currently.

Sonarcloud has a responsibility to support something that allows an organizational owner to revoke access. Even if this isn’t part of the UI, someone at SonarCloud should be able to help resolve this issue. A security tool with no way to secure usage is going to hurt your customer base. Please let me know who I can work with to sort this out, maybe it’s as simple as revoking and re-adding the Sonarcloud access to github?

Hi,

After discussing with the team, we think that 2 options can be applied for this specific breach:

  1. All users of your organization can revoke all their tokens through SonarCloud website or Web API.
  2. The organization admin can remove the execute analysis permission from the users to find out users whose tokens are used in your CI after failing analysis. Then you can ask these users to revoke their tokens.

We are working on improving our token generation and managing processes. We will let you know of each update.

Thanks for some options, #1 won’t work as we may even have folks that created a token and left the company, not sure if that token still has permissions. The second option is possible, but will be quite tedious with 44 users across multiple timezones. Does execute permission affect the user’s ability to perform scans, or only their token? If we remove Sonarcloud’s permission to GitHub and re-add it, will it invalidate the tokens?

Also, now that I’m looking at it, very few people have execute analysis, but I’m pretty confident some of them had tokens that we’re using. Are we sure removing that access will remove the ability for CI to run properly?

Hi @tbrownSpecialized ,

we may even have folks that created a token and left the company, not sure if that token still has permissions.

SC tokens are associated with users. So, if these users are not members of your organization or have no permission to execute analysis, these tokens don’t work (token → user → permissions).
Please have a look at this answer.

Does execute permission affect the user’s ability to perform scans, or only their token?

As explained above, it affects the user’s ability, not only tokens (token = user).

If we remove Sonarcloud’s permission to GitHub and re-add it, will it invalidate the tokens?

No, it won’t.

Are we sure removing that access will remove the ability for CI to run properly?

Yes. If users try to analyze a project with their token without the execute analysis permission, they will get an error like Project not found. Please check the 'sonar.projectKey' and 'sonar.organization' properties, the 'SONAR_TOKEN' environment variable, or contact the project administrator.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.