What permissions does SonarCloud requires from GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Can you tell me what permissions are requested from the “GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}” so I can create a new private token using only the needed permissions.

1 Like

Hi @szlatkow and welcome to the community !

Well the user that will host the token should have at least the “Execute analysis” permission on the project you want to scan.

HTH,
Mickaël

Hi @mickaelcaro. The question is about GITHUB_TOKEN, not SONAR_TOKEN. According to the SonarCloud documentation when SonarScanner is executed by using GitHub Actions, GITHUB_TOKEN must be added:

- name: Build and analyze
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

I didn’t find in the documentation to which aspects the mentioned token requires permissions. More about available permissions: Permissions for the GITHUB_TOKEN .

Hi @szlatkow. At the beginning I didn’t add the GITHUB_TOKEN environment variable. My pull requests were successfully built, but the analysis of the main branch started failing. I configured token to set permissions manually and didn’t grant any permissions (I omitted the permissions key in the workflow file). The built has been finished successfully. Currently my configuration looks like this:

jobs:
  Build:
    # ...
    permissions:
      checks: write
    steps:
      # ...
      - name: Execute SonarScanner
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: ${{ env.MAVEN_CMD }} sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}

The checks: write permission is required by a different action (scacap/action-surefire-report@v1) used in the workflow. To be honest I have no idea why the GitHub token is needed, but with this minimal configuration it works for me.

Hi @agabrys

Indeed, sorry about that.

We used to select the “repo” permission while creating an access token, i’ll check whether we need less or not. In the mean time, we’ll update the docs as well.

Thanks !

1 Like