Security concern on user tokens

security

(Dominique THERY) #1

Hi,

Today we’re using the couple Azure DevOps / SonarQube for most of our developments. Both are linked to our Azure AD.
For each project in Azure DevOps, we automatically create an endpoint to SonarQube, using the token of a SonarQube local account (not an Azure AD account) whose only permission is ‘Execute analyze’ and it works pretty well.

We decided to give a try to SonarCloud, and while trying to set up my usual endpoint, I realized that it’s not possible anymore to create local accounts. So I’m stuck with my personal account, who is organization owner, with all its permissions.

I smiled. Our security guys didn’t… So straightaway, for us, it’s already a big no go.
Any thoughts on this? Anything in your backlog to secure tokens in addition of users (just like in Azure DevOps)?

PS: Just in case… No service accounts in Azure AD. Only ‘real’ users are synchronized, that’s a group / company policy.

Thanks.


(Fabrice Bellingard) #2

Hi Dominique,

Since you cannot have service accounts in Azure AD, the only other way to solve your situation is that you grant the “Execute Analysis” permission (at org level) to one of your team members who is not owner of the org on SonarCloud. This way, if the token gets stolen or compromised, it won’t grant admin permissions on the org.

We already talked in the past about having org tokens (instead of user tokens) for this matter - but this never really became a priority since we’ve had no traction on this feature. Maybe we should think again about this sometime soon.