Should we share SONAR_TOKEN for all repositories in Github org, or use one per repo?

Eli_Encarnacion · April 23, 2024, 5:31pm

ALM used: GitHub
CI system used: Github Actions

General “best practices” question.

Are there any drawbacks with creating a single SONAR_TOKEN secret and setting it as a secret in our entire Github organization, so that all repositories use the same token during scanning?

Are there any API rate-limits we would run into with this approach, or other security concerns?

Or should we stick to having a unique token per repository?

The shared setup appeals to use due to ease of management, but wanted to check first whether this is recommended at all.

ganncamp · April 24, 2024, 12:51pm

Hi,

Welcome to the community!

There are no rate limits for token use, so it’s fine from that perspective. Since all tokens have the same rights, having central control with one token to manage is probably easiest.

HTH,
Ann

Topic		Replies	Views
Sharing SONAR_TOKEN between projects in a monorepo? SonarQube Cloud	3	1863	November 2, 2021
Organization token SonarQube Cloud	1	3274	June 28, 2019
Token security? SonarQube Cloud iam	9	8228	June 25, 2020
One badge token for all my projects SonarQube Server / Community Build sonarqube , tokens , badges	3	58	January 15, 2025
Do I need to create sonar token for each and every repo and make service connection for that SonarQube Server / Community Build	3	1126	November 1, 2021

Should we share SONAR_TOKEN for all repositories in Github org, or use one per repo?

Related topics