User-independent token for SonarCloud Web Api

  • ALM used: Azure DevOps
  • CI system used: Azure DevOps
  • Scanner command used when applicable (private details masked):
  - task: SonarCloudPrepare@1
      SonarCloud: 'Sonarcloud code police'
      organization: '***'
      scannerMode: 'CLI'
      configMode: 'manual'
      cliProjectKey: '***'
      cliProjectName: '***'
      cliSources: '.'
      extraProperties: |
        # Additional properties that will be passed to the scanner,
        # Put one key=value per line, example:
  • Languages of the repository: python

I have an azure pipeline in which I run SonarCloudPrepare@1 followed by SonarCloudAnalyze@1. For those projects that do not yet exist on the default branch (which for me is master), when a PR is created to master that contains the new code to be analyzed by SonarCloud, SonarCloudAnalyze@1 step fails with the following message:

‘ERROR: Could not find a default branch for project with key ‘***’. Make sure project exists.’

Once I merge the PR and it runs on master, then SonarCloud automatically creates that project for me without problems.

Now I would like to add a step to before SonarCloudAnalyze@1 to check if the project exists on SonarCloud using SonarCloud Web Api, and if so, then do not run SonarCloudAnalyze (except if it is running on the default branch, master).

I have made the following powershell script which checks for existence of the project, and sets a boolean variable which will then be used in the condition for SonarCloudAnalyze@1:

$projects_found = curl --request GET --url '***&projects=***' --header "Authorization: Bearer ***" | ConvertFrom-Json
if ($projects_found.components.Count -gt 0) { 
        Write-Host "project found"
        echo "##vso[task.setVariable variable=PROJECT_EXISTS]true" 

Now the problem is, the token given after Authorization: Bearer as part of the GET request, is a user-dependent token, meaning if I leave the company that I am working for now, and my user account gets deleted from SonarCloud, this would stop working.

Do you have a suggestion for how to avoid hardcoding a user-dependent token like this, and somehow make the GET request to authenticate in a better way?

1 Like


The recommendation is to

  • create a technical user on the Azure side
  • add that user to SonarCloud
  • log in as your robot to generate a token
  • use the robot’s token


And with that said, we have this item on our roadmap

1 Like

Thanks a lot!

Hello Masih,
In regards to the scanner, it would make sense to allow for first-time branch analysis to create the project on SonarCloud and not fail the scan. We have taken note and will plan a fix for this.

Thank you!

1 Like