First up, what a fantastic category name 
I’m a PM at GitHub responsible for our secret scanning functionality. We scan through code looking for leaked secrets so we can alert users of them.
I’m here to ask whether you’d consider using a different prefix for the tokens SonarQube uses when it generates badge URLs.
Since SonarQube 9.5, SonarQube API tokens have had a prefix to help distinguish they’re different types:
- User tokens are prefixed with
squ_ - Project analysis tokens are prefixed with
sqp_ - Global analysis tokens are prefixed with
sqa_
That’s awesome - it makes it way easier to determine if a token presents a risk to security or not. We’re using it at GitHub to tell users what kind of SonarQube token we’ve detected if/when we find one.
The one snag is badge URLs. They look like this:
https://sq.mydomain.io/sonarqube/api/project_badges/measure?project=my-proj&metric=coverage&token=squ_fabb36113572f2cc0351f120dd27daa4a20c1333
As I understand it, the tokens in those URLS aren’t really user tokens - they’re some other form of token that is created with very limited permissions (just to serve metrics for badges).
So my (tiny) feature request is: introduce a new token prefix (maybe sqb_) to differentiate badge tokens from user tokens. Doing so would make it easier for end users to understand the threat that a leaked token poses.
, and for your insight on the topic.