Which permissions does SonarCloud need from my account?

I’m looking for a list of permissions to GitHub Cloud that I need to grant SonarCloud to enable it to perform its many services on the private repos in our organization.

I’m looking for a list like the one Codacy provides:

EXCEPT, I’m hoping it does not include administration:write

I do NOT want to grant WRITE permission to code (in private repos in our organization).

I understand that I need to be an admin of our GitHub Cloud organization, but I can’t find a definitive list of the permissions I need to grant.

A related question about the SONAR_TOKEN used by GitHub Actions to post coverage to SonarCloud:

Are these tokens tied to a specific user?


Welcome to the community!

I’ve edited your title from ‘Codacy’ to ‘SonarCloud’ :slight_smile:

Maybe this thread will help:


Hi. (Wow, I can’t believe I messed up the title.)

That helps. However, I’m more interested in the permissions that need to be granted via GitHub App (or OAuth App).

A lot of services will require an OAuth grant of read:write repo permissions, which I cannot accept.

To avoid surprising dialogs later, I’m looking for a complete list of permissions that need to be granted in order to enable SonarCloud on the private repos in my org on GitHub Cloud.

I’m also interested in whether the generated SONAR_TOKEN is associated with a specific user account.


The token is absolutely associated to the account that generated it. So if you’re the one logged into the interface, it’ll be your account.

For SonarCloud, I just deleted the app on my personal GH account and started stepping through it again to refresh myself. Here’s what I’m seeing:

  • Read on code & metadata should be what allows it to import your projects
  • Read/write on … pull requests allows it to decorate your PRs after analysis.

Does that help?


Thanks for confirm on SONAR_TOKEN.

And for list of GitHub permissions needed for personal account integration, which I’ve performed as well.

How can I confirm that an organization on GitHub does not need to grant write permission to its private repo code in order to import a private repo into SonarCloud?


I’m confused. The screenshot I gave you above is literally the interface you get when you set this up.

Are you concerned there will be additional steps? Because when you add your organization from SonarCloud, you’re redirected to GitHub to authorize it there. So this is literally, and verbatim the GitHub interface. No hidden forms. A pair of radio buttons, a dropdown & Install/Cancel buttons.


Good to know!

Many coverage services have separate permissions involved when authorizing for private repos in an org vs a personal account. This is usually attributed to the limited OAuth scopes defined by GitHub.

1 Like