SonarCloud PR Decoration on Azure DevOps Pull-requests

Template for a good new topic, formatted with Markdown:

  • ALM used (GitHub, Bitbucket Cloud, Azure DevOps)
    Azure DevOps

  • CI system used (Bitbucket Cloud, Azure DevOps, Travis CI, Circle CI
    Azure DevOps

  • Scanner command used when applicable (private details masked)
    Generic scanner on Azure Pipelines

  • Languages of the repository
    Mostly java

  • Only if the SonarCloud project is public, the URL

    • And if you need help with pull request decoration, then the URL to the PR too
  • Behavior observed
    We want to configure Pull request decoration for our projects. We have several projects (today 57 projects)
    All projects are AzureDevOps SCM and pipelines.

So here are my questions:

  • Is there an Organization option to configure the Azure PAT Token ?
  • Can I set a Default Organization PR Provider sonar.pullrequest.provider ?

Marcel Dias

Hi @marceldiass and welcome to the community !

The Azure DevOps experience on SonarCloud doesn’t benefit yet from organization-wide settings, and more globally, from bindings of organizations between it and Azure.

That being said, it’s not possible yet to set a PAT at organization level.

For the sonar.pullrequest.provider property, the Azure DevOps extension is taking care of setting it for you, so there’s no need to worry about it.


hello Mickaël. Thank you for the answers…

Could you confirm if providing the property sonar.pullrequest.vsts.token.secured in the Azure Pipeline Prepare Task works ?

- task: SonarSource.sonarcloud.14d9cde6-c1da-4d55-aa01-2965cd301255.SonarCloudPrepare@1
      displayName: 'Prepare analysis on SonarCloud'
        SonarCloud: sonarcloud
        organization: ${{ parameters.OrgName }}
        scannerMode: CLI
        extraProperties: |
         # Additional properties that will be passed to the scanner,
         sonar.pullrequest.provider=${{ parameters.PullRequestProvider }}



No it will not be taken in account as it is an internal property, not a “Scanner” one. And the variable you gave in example is the OAuth token that the agent uses to authenticate against AzDO. I don’t think that the PAT is accessible through a variable.


Thanks for the answer Mickaël.
We found the SonarCloud API where we can set the sonar.pullrequest.vsts.token.secured property before the scan execution.

it is working for us.

Hi Marcel, could you share your solution? Regards


Basically we execute these two request before every scan. It will always set the current build token to sonar post the comments. $(sonar.token) is a sonarCloud token saved as variable group in azure devops.

- script: |
    curl --request POST -u $SONARTOKEN: \
      --data "component=$(Build.Repository.Name)" \
      --data "key=sonar.pullrequest.provider" \
      --data "value=Azure DevOps Services" \
  displayName: 'Set PR provider for current project in sonarcloud'
    SONARTOKEN: $(sonar.token)
- script: |
    curl --request POST -u $SONARTOKEN: \
      --data "component=$(Build.Repository.Name)" \
      --data "key=sonar.pullrequest.vsts.token.secured" \
      --data "value=$SYSTEM_ACCESSTOKEN" \
  displayName: 'Set PR token for current project in sonarcloud'
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
    SONARTOKEN: $(sonar.token)

If you want it in powershell here is the script:

# $SONARTOKEN is a PAT token generated in Sonarcloud
$pair = "$SONARTOKEN:"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
	Authorization = $basicAuthValue

# Set Agent PAT as PR commenter
$POSTParams = @{

$ignore = Invoke-WebRequest -Uri `
				  -Headers $Headers `
				  -Method POST `
				  -Body $POSTParams `
				  -UseBasicParsing | Out-Null

# Set PR integration service to Azure devops
$POSTParams = @{
value="Azure DevOps Services"

$ignore = Invoke-WebRequest -Uri `
				  -Headers $Headers `
				  -Method POST `
				  -Body $POSTParams `
				  -UseBasicParsing | Out-Null

@mickaelcaro Has there been any movement on this?

We have 72 projects and updating PAT tokens when they expire is an increasing chore in order to get PR decoration to work again.

Being able to centrally define the PAT would be great.

Hi @brett.postin

I can only recommend to switch to a bound organization, that way, you will be able to manage your PAT at the organization level.


Hi Mickael,

Our account is already bound to Azure DevOps. However setting the PAT token globally in the organisation settings does not seem to propagate down to the project level.

Only when we manually set the PAT token at the project level does PR decoration work again.

I have worked out the issue. The project level settings seemingly take precedent over the org PAT. Clearing out the project level settings allows us to configure the PAT globally.

Thanks for the help!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.