Today we’re using the couple Azure DevOps / SonarQube for most of our developments. Both are linked to our Azure AD.
For each project in Azure DevOps, we automatically create an endpoint to SonarQube, using the token of a SonarQube local account (not an Azure AD account) whose only permission is ‘Execute analyze’ and it works pretty well.
We decided to give a try to SonarCloud, and while trying to set up my usual endpoint, I realized that it’s not possible anymore to create local accounts. So I’m stuck with my personal account, who is organization owner, with all its permissions.
I smiled. Our security guys didn’t… So straightaway, for us, it’s already a big no go.
Any thoughts on this? Anything in your backlog to secure tokens in addition of users (just like in Azure DevOps)?
PS: Just in case… No service accounts in Azure AD. Only ‘real’ users are synchronized, that’s a group / company policy.