Usage of system property sonar.login for Gradle

In the current documentation of SonarQube (9.9) as well as in the “Analyze your project”-assistant, it is stated to call gradle sonar -Dsonar.login=yourAuthenticationToken. I do not think this is recommendable because it makes the authentication token readable via the process list. It’s better to use environment variables for sensitive properties: SONAR_TOKEN=yourAuthenticationToken ./gradlew sonar


Welcome to the community and thanks for this report!

You make a great point. I’m going to flag this for the team.


Thanks @chkpnt , for bringing this to our attention.

The Docs team now has a ticket in our backlog to mention SONAR_TOKEN in the appropriate Authentication section(s) of the scanner page(s).

1 Like