We're excited to announce the availability of Scoped Organization Tokens (SOTs) for SonarQube Cloud, a new feature for our Team and Enterprise plan users. This provides a secure and scalable way to authenticate CI/CD pipelines and other automated processes, addressing common challenges and improving your overall security posture.

Why Scoped Organization Tokens matter 

Historically, organizations have relied on Personal Access Tokens (PATs) for automation, but as teams and projects grow, this approach can lead to challenges. Scoped Organization Tokens are designed to address these challenges directly, providing a robust, secure, and scalable way to manage authentication for your CI/CD pipelines. By being decoupled from individual users and offering granular control, they are a game-changer for your organization.

Here are the key benefits:

• Enhanced Security with Granular Permissions: SOTs allow you to create tokens with specific, limited permissions, following the principle of least privilege. This prevents security vulnerabilities that can arise from over-privileged tokens. For this initial release, the "execute analysis" permission is supported, with more scopes planned for the future.
• Uninterrupted Automation, Decoupled from Users: Unlike PATs, SOTs are created and managed at the organization level and are not tied to a single user account. This means your CI/CD pipelines will continue to run without interruption, even if a team member leaves the company. This resilience eliminates the need for costly workarounds like creating "bot" accounts, which incur additional license fees and administrative overhead.
• Simplified and Centralized Management: SOTs provide a single, centralized place to manage and revoke tokens. Administrators can get a clear overview of all tokens in use, their specific permissions, and their expiration dates. You can create these tokens directly within your SonarQube Cloud organization.

An example to illustrate 

Marcel is a DevOps administrator at a growing tech company. He is responsible for maintaining the CI/CD pipelines that are critical to the company's development process. Every time a developer who set up a pipeline leaves the company, Marcel gets a frantic message that the builds are failing. He then has to scramble to identify the broken pipeline, generate a new token, and update the CI/CD configuration.

It's a time-consuming and stressful process that takes Marcel away from more strategic work. With the new Scoped Organization Tokens, he can create a dedicated token for the CI/CD pipeline that isn't tied to any single user, ensuring the pipeline continues to run smoothly, regardless of personnel changes.

How to get started with SonarQube Cloud tokens

Creating and managing Scoped Organization Tokens is simple. Here’s how you can get started:

1. As an organization administrator, navigate to the “Administration” section of your SonarQube Cloud Organization
2. Select "Scoped Organization Tokens".
3. Click on "Create token" and give it a name.
4. You can provide a description if you wish, this will make it easier to quickly understand the scope and the intent of your token.
5. Define an expiration date. You can also choose “no expiry” but we don’t recommend it from a security perspective
6. Set the project scope for the token, meaning the list of projects that your token can provide access to.
7. Click "Generate token" 
8. The next screen will show you the token key – make sure you store it securely – and you're ready to use your new token in your CI/CD pipeline.

You can view and manage all of your SOTs from the same screen, making it easy for administrators to see the list of tokens within their organization and their scope, when it was last used, and when it expires. They are also empowered to revoke a token at any time.

For more information, please refer to the documentation.

Secure, resilient, and scalable authentication

In summary, Scoped Organization Tokens provide a secure and scalable way to manage authentication for your CI/CD pipelines and other automations without being tied to a specific user account.

SOTs are available now for all SonarQube Cloud Team and Enterprise plan users. We're confident that this new feature will help you to build more secure, resilient, and efficient CI/CD pipelines.

Ready to give it a try? Log in to your SonarQube Cloud account, or sign up to try SonarQube Cloud here, and create your first SOT today! We'd love to hear your feedback on the Sonar Community Forum.

*** This is a Security Bloggers Network syndicated blog from Blog RSS feed authored by Andrew Osborne. Read the original post at: https://www.sonarsource.com/blog/introducing-scoped-organization-tokens-for-sonarqube-cloud/