What are the security implications of letting SonarCloud act on my behalf after signing up?

I am one of the contributors to the OpenZFS project on github. Recently, I have been making a major push to run static analysis tools on the repository and fix the reports.

The project is particularly interested in being able to run static analysis tools on every pull request so that regressions in pull requests can be caught before they are merged, and SonarCloud looks like a good fit for that. Unfortunately, when I try to setup SonarCloud, it asks me to give access to SonarCloud to act on my behalf without any explanation of what this means.

A number of people trust me to safeguard my github account against compromise and it only takes a single incident to destroy people’s trust, so I am very cautious about granting third parties permission to act on my behalf. The issue could be somewhat mitigated by making another github account, but if I recall, that is against Github’s ToS, so I cannot do that.

What are the security implications of signing up with sonarcloud (e.g. to what extent can a bad actor cause harm to my github projects if sonarcloud is compromised) and how I can mitigate them as much as possible?

Also, yesterday, the project adopted CodeQL via a github workflow. This required no special permission to act own my behalf, so I am a bit confused why SonarCloud needs it. Why does SonarCloud need special permission to act on my behalf when CodeQL does not?


Welcome to the community!

It’s not clear to me what part of the onboarding process you’re referring to with this. I’ve just deleted my personal organization and re-added it. Is this what you’re talking about?

I understand your caution, and find it laudable. And at the same I don’t understand what’s not clear. Or are you concerned with a different part of the workflow?


Hello @ryao ,

We discussed this topic more closely internally. The permission to act on your behalf is not something that we can control and is added by GitHub by default, and, looking at their documentation on this, it can only do that for resources both the app and the GitHub user have access to.

As far as I know, we are not using this functionality. Everything we do on the GitHub platform is identified as coming from SonarCloud (e.g. adding a summary comment on a pull request).