Due to the recent CircleCI incident, we need to revoke all the existing tokens in our projects. However, as stated in this topic, there is no way to do this from our end either via user interface or web api because organizational admins do not have such previledge to perform this action. We have several users and even though we’ll request all of them to revoke their existing tokens, there is no mechanism to check if there are any existing tokens that are not revoked.
Since there is no help desk or ticketing system, my only option was to create a topic in this community forum. Please guide me to understand the process of how to request revoking of tokens in our organization. I am also not able to provide details about the organization or user accounts here. Hoping to see a response soon from sonarcloud admins as we need to solve this ASAP.
We’re aware of the CircleCI breach and the Sonar tokens you set there should be revoked.
After discussing with the team, we think that 2 options can be applied for this specific breach:
All users of your organization can revoke all their tokens through SonarCloud website or Web API.
The organization admin can remove the execute analysis permission from the users to find out users whose tokens are used in your CI after failing analysis. Then you can ask these users to revoke their tokens.
We are working on improving our token generation and managing processes. We will let you know of each update.
Permission changes work immediately. Although analysis can be triggered without any permission, there are two permissions requiring user authentication:
‘Browse’ permission is required to request the quality status. This permission is only required for private projects.
‘Execute Analysis’ permission is required to submit the analysis report.
Without ‘Execute Analysis’ permission, an analysis ends with this failure
Project not found. Please check the 'sonar.projectKey' and 'sonar.organization' properties, the 'SONAR_TOKEN' environment variable, or contact the project administrator.