Should we share SONAR_TOKEN for all repositories in Github org, or use one per repo?

  • ALM used: GitHub
  • CI system used: Github Actions

General “best practices” question.

Are there any drawbacks with creating a single SONAR_TOKEN secret and setting it as a secret in our entire Github organization, so that all repositories use the same token during scanning?

Are there any API rate-limits we would run into with this approach, or other security concerns?

Or should we stick to having a unique token per repository?

The shared setup appeals to use due to ease of management, but wanted to check first whether this is recommended at all.


Welcome to the community!

There are no rate limits for token use, so it’s fine from that perspective. Since all tokens have the same rights, having central control with one token to manage is probably easiest.