[URGENT] Revoking all existing tokens in organization

Hi all;

Due to the recent CircleCI incident, we need to revoke all the existing tokens in our projects. However, as stated in this topic, there is no way to do this from our end either via user interface or web api because organizational admins do not have such previledge to perform this action. We have several users and even though we’ll request all of them to revoke their existing tokens, there is no mechanism to check if there are any existing tokens that are not revoked.

Since there is no help desk or ticketing system, my only option was to create a topic in this community forum. Please guide me to understand the process of how to request revoking of tokens in our organization. I am also not able to provide details about the organization or user accounts here. Hoping to see a response soon from sonarcloud admins as we need to solve this ASAP.

thank you in advance.

1 Like

Hi,

We’re aware of the CircleCI breach and the Sonar tokens you set there should be revoked.

After discussing with the team, we think that 2 options can be applied for this specific breach:

  1. All users of your organization can revoke all their tokens through SonarCloud website or Web API.
  2. The organization admin can remove the execute analysis permission from the users to find out users whose tokens are used in your CI after failing analysis. Then you can ask these users to revoke their tokens.

We are working on improving our token generation and managing processes. We will let you know of each update.

I’ve tried revoking Execute Analyses for all of our users, but new updates using existing tokens are still working.

Is there anything else we should be trying, or does the permission change take time to kick in?

Hi @danielsgroves

Permission changes work immediately. Although analysis can be triggered without any permission, there are two permissions requiring user authentication:

  • ‘Browse’ permission is required to request the quality status. This permission is only required for private projects.
  • ‘Execute Analysis’ permission is required to submit the analysis report.

Without ‘Execute Analysis’ permission, an analysis ends with this failure

Project not found. Please check the 'sonar.projectKey' and 'sonar.organization' properties, the 'SONAR_TOKEN' environment variable, or contact the project administrator.