SCA Risk Report - Portfolio Level Export

Hello Dear Community,

I’m trying to fetch all the SCA findings from a specific portofolio.

We have SonarCloud Advanced Security and I can see that the findings are available in the GUI.
I created a “Scoped Organization Tokens” (that is not expired yet)

export SONAR_TOKEN=“”
curl -sS
-H “Authorization: Bearer $SONAR_TOKEN”
“https://api.sonarcloud.io/sca/risk-reports?component=<PORTFOLIO_ID>&type=release_risks”

→ {“message”:“Access denied”}

export SONAR_TOKEN=“”
curl -sS
-H “Authorization: Bearer $SONAR_TOKEN”
“https://api.sonarcloud.io/sca/risk-reports?component=<PORTFOLIO_NAME>&type=release_risks”

→ {“message”:“SCA feature is not enabled.”}

export SONAR_TOKEN=“”
curl -sS
-H “Authorization: Bearer $SONAR_TOKEN”
“https://api.sonarcloud.io/sca/risk-reports?component=<PROJECT_ID>&type=release_risks”

→ Working

Does it looks like it’s not possible to access SCA findings from a portfolio ?

Kind Regards,
Thomas

component takes a ID, not the portfolio name. You can get the ID from the page URL when viewing a portfolio.

Also: as scoped organization tokens are tied to an organization, but a portfolio spans organizations, a scoped organization token is not appropriate for accessing a portfolio.

Hi Bill,

What would be the best practice then ?
I don’t see the possibility to create a token at the “enterprise” level.