In the current documentation of SonarQube (9.9) as well as in the “Analyze your project”-assistant, it is stated to call gradle sonar -Dsonar.login=yourAuthenticationToken. I do not think this is recommendable because it makes the authentication token readable via the process list. It’s better to use environment variables for sensitive properties: SONAR_TOKEN=yourAuthenticationToken ./gradlew sonar
Hi,
Welcome to the community and thanks for this report!
You make a great point. I’m going to flag this for the team.
Ann
Thanks @chkpnt , for bringing this to our attention.
The Docs team now has a ticket in our backlog to mention SONAR_TOKEN in the appropriate Authentication section(s) of the scanner page(s).
1 Like