Hi, this is a community for civil conversation, so consider this a warning.
Back to the original question – while the purpose of scoped tokens is to limit a token to have certain permissions, that is not the overall purpose of token-based authentication.
However, I agree that being able to scope permissions for a token would be useful! It’s a point that has been raised before (Security concern on user tokens) and you should feel free to more formally Suggest a feature (https://community.sonarsource.com/c/suggestions)
That said, it’s my understanding that many CI providers, such as Azure Devops and Bitbucket Cloud include ways to define “Secret” variables, which are generally stored as environment variables (At least Azure Devops take it as far as to not make these secrets avilable to PR builds from forks). Can you help me understand the attack vector this represents if the token isn’t being piped out to the build output? Maybe I’m missing something, and I’m asking this with honest intent and curiosity.
Colin