If you want to enforce security by not providing credentials of a real SonarQube user to run your code scan or to invoke web services, you can provide a User Token as a replacement of the user login. This will increase the security of your installation by not letting your analysis user's password going through your network.
How to Generate a Token
A token can be generated only by the user having the Global Permission "Administer System".
- Go in Administration > Security and locate the User for who you want to generate a token.
- Click on the icon in the TOKENS column :
- Give a Name to your token and click on "Generate". The name will allow you to identify for which usage you generated this token.
- Copy in your clipboard the generated token by clicking on the "Copy" button. Be careful, you won't be able to see it again once you close this window.
How to Use a Token
User tokens have to be used as a replacement of your usual login:
- when running analyses on your code: replace your login by the token in the
- when invoking web services: just pass the token instead of your login while doing the basic authentication.
In both cases, you don't need to provide a password (so when running analyses on your code, the property
sonar.password is optional).