SONAR_TOKEN permissions in pull request GitHub Actions


I’m facing an issue where running a CI build from a GitHub Action for a public repo, if I run it myself, it decorates the PR fine, however, external users (not belonging to the organisation or not set as repo contributors) can’t run the analysis in Pull Requests. The Sonar_token is stored as a secret in the org.
It seems the secret is not passed into the workflow when the PR is run by users who are not members or collaborators, despite the repo being public.

Any idea how to resolve this?

Template for a good new topic, formatted with Markdown:

*** Build Succeeded :)  **** 
SonarScanner for MSBuild 5.13
Using the .NET Core version of the Scanner for MSBuild
The format of the analysis property sonar.login= is invalid

Hey there.

SonarCloud does not support running PR analysis on external PRs. You can vote for this here.

Thank you Colin.

What do you mean by external PRs? This is a PR against our own repo, which is public, the only difference being the user who created the PR not being a member of the GitHub organisation or contributor. But the software is also public and open source, so it wouldn’t be ideal to start adding everyone as a contributor…

Is there a way to setup a dedicated , separate token with the minimum set of permissions to execute the analysis in this case (i.e. token with access to projects of public repos only).


It’s a PR from a fork… which I guess we’ve taken to calling “external PRs” internally.

Some users have crafted some complicated workarounds. You’re welcome to take a look.

This is a topic we’re sure we’ll address someday, but unfortunately, it keeps getting bumped.

Thanks Colin,

Is there a way of having a separate permissions template to give Execute Analysis permissions to Anyone and we assign these permissions to public repos only, in a way that doesn’t require a token, or is not too bad to put is as an environment variable if it’s only scoped to public repos?

Will try that thread in a while as well, thank you!

Hi Colin,

I’ve tried a different option, if possible.

According to the Analysis Parameters in the documentation, if we give Execute Analysis permissions to the group Anyone, then there is no need to use a token for login purposes.

So I’ve tried giving Anyone permissions to execute analysis and then removed the sonar.login parameter, however it’s giving a 403 error now when trying to retrieve the quality profiles it seems.

Any ideas? Should that work?

Hey there.

I can’t advise granting Execute Analysis permissions to Anyone – it means somebody could run an analysis on your main branch without permission (it’s not just limited at pull requests). It’s a security risk.

Which 403 error are you talkinga bout? I see this in the logs shared:

SonarScanner for MSBuild 5.13

[185]( the .NET Core version of the Scanner for MSBuild
[186]( started.
[187]( SonarQube analysis could not be completed because the analysis configuration file could not be found: D:\a\fake-xrm-easy-abstractions\fake-xrm-easy-abstractions\.sonarqube\conf\SonarQubeAnalysisConfig.xml.

It’s at the top of the logs, line 49

20:27:51.677  Downloading from
20:27:51.827  Response received from
Unhandled exception. System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 ().
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at SonarScanner.MSBuild.PreProcessor.WebClientDownloader.TryDownloadIfExists(String url, Boolean logPermissionDenied)
   at SonarScanner.MSBuild.PreProcessor.WebServer.SonarWebServer.DownloadQualityProfile(String projectKey, String projectBranch, String language)
   at SonarScanner.MSBuild.PreProcessor.PreProcessor.FetchArgumentsAndRuleSets(ISonarWebServer server, ProcessedArgs args, BuildSettings settings)
   at SonarScanner.MSBuild.PreProcessor.PreProcessor.DoExecute(ProcessedArgs localSettings)
   at SonarScanner.MSBuild.PreProcessor.PreProcessor.Execute(IEnumerable`1 args)
   at SonarScanner.MSBuild.BootstrapperClass.PreProcess()
   at SonarScanner.MSBuild.BootstrapperClass.Execute()
   at SonarScanner.MSBuild.Program.Execute(String[] args, ILogger logger)
   at SonarScanner.MSBuild.Program.Execute(String[] args)
   at SonarScanner.MSBuild.Program.Main(String[] args)
   at SonarScanner.MSBuild.Program.<Main>(String[] args)


Thanks for this.

I’m having a headache figuring out why I can only view Projects and Rules on your organization but not Quality Profiiles… I suspect it has something to do with not being a member of an organization… which begs the question why it’s possible to configure the Execute Analysis permission at all for Anyone (which is a distinct group from Members).

At the same time, I suspect it’s because we think it’s a bad idea for Anyone to be able to execute analysis (even if it would fix your current pain).

I’ll flag this for attention to see if there’s something we want to do about this, whether in behavior or making the behavior clearer.