CLI-37 CLI-41 CLI-56 No auth secrets#46
CLI-37 CLI-41 CLI-56 No auth secrets#46kirill-knize-sonarsource wants to merge 4 commits intomasterfrom
Conversation
kirill-knize-sonarsource
force-pushed
the
feature/CLI-37-CLI-41-no-auth-secrets
branch
from
78461e7 to
2b826b0
Compare
kirill-knize-sonarsource
changed the title
kirill-knize-sonarsource
force-pushed
the
feature/CLI-37-CLI-41-no-auth-secrets
branch
2 times, most recently
from
ee7d045 to
66c4104
Compare
kirill-knize-sonarsource
force-pushed
the
feature/CLI-37-CLI-41-no-auth-secrets
branch
from
0bb6f9c to
9133167
Compare
kirill-knize-sonarsource
force-pushed
the
feature/CLI-37-CLI-41-no-auth-secrets
branch
3 times, most recently
from
81ba918 to
5f1fb9d
Compare
SonarQube reviewer guideSummary: Enhance token repair flow, add non-interactive mode support, and make secrets authentication optional while improving code formatting and structure. Review Focus:
Start review at:
|
src/commands/integrate.ts
Outdated
| warn( | ||
| `${missing} is not set. Both ${ENV_TOKEN} and ${ENV_SERVER} are required for environment variable authentication. Falling back to saved credentials.`, | ||
| ); | ||
| warn(`${missing} is not set. Both ${ENV_TOKEN} and ${ENV_SERVER} are required for environment variable authentication. Falling back to saved credentials.`); |
There was a problem hiding this comment.
If I am on a directory where sonar-project.properties exist, the environment variables are skipped.
Which also means that in case I don't have a configured sonar auth then I am redirected to the SQC page to generate a token.
src/commands/integrate.ts
Outdated
| warn( | ||
| `${missing} is not set. Both ${ENV_TOKEN} and ${ENV_SERVER} are required for environment variable authentication. Falling back to saved credentials.`, | ||
| ); | ||
| warn(`${missing} is not set. Both ${ENV_TOKEN} and ${ENV_SERVER} are required for environment variable authentication. Falling back to saved credentials.`); |
There was a problem hiding this comment.
- on a dir without
sonar-project.properties - without
auth login - without
ENV_SERVER - with
ENV_TOKEN
It just continues to the Phase 1/3, skips the next to Phases and reports success. The warn message was never displayed.
| process.exit(1); | ||
| async function resolveSecretsAuth(): Promise<AuthConfig> { | ||
| // Env vars take priority — already set for CI or manual configuration | ||
| const envUrl = process.env[ENV_SECRETS_AUTH_URL]; |
There was a problem hiding this comment.
I am a bit confused on which env variables should I use. I thought that ENV_SERVER value would be passed to the secrets cli. However, here we get the value of ENV_SECRETS_AUTH_URL. Are those two unrelated? 🤔
| if (activeConnection) { | ||
| const token = await getToken(activeConnection.serverUrl, activeConnection.orgKey); | ||
| if (token) { | ||
| return { authUrl: activeConnection.serverUrl, authToken: token }; |
There was a problem hiding this comment.
When running sonar analyze --file a-file-with-a-secret.yaml even without configured token (no auth login, no env variables), I always get the following output from the secrets cli
Sonar Secrets CLI - BETA (2.41.0.10709)
Trying to authenticate to SonarQube Server or Cloud, in order to enable complete functionality
Authentication successful
Not sure how it manages to authenticate successfully or if it's lying.
There was a problem hiding this comment.
I noticed that secrets cli has a cache file for authentication .sonar-secrets-auth-cache. Not sure how sonar cli should handle that
|
|
||
| // Save to keychain | ||
| await saveToken(serverURL, token, organization); | ||
| await saveToken(serverURL, newToken, organization); |
There was a problem hiding this comment.
When running sonar integrate claude and I don't have sonar auth login,
- the repair kicks in and SQC page pops up
- I proceed to generate my token
- the integrate command succeeds and the token is stored.
But (probably) the state is not updated, sonar auth status reports "No saved connection" and sonar auth purge shows the newly created connection.
Authentication is now optional for secrets scanning. The sonar-secrets binary has AUTH_ENABLED=false in production builds, so requiring CLI auth was unnecessary friction. Resolution priority: 1. SONAR_SECRETS_AUTH_URL + SONAR_SECRETS_TOKEN env vars (pass-through) 2. Active CLI connection + keychain token 3. No auth — binary runs without credentials � Conflicts: � src/commands/secret-scan.ts � tests/unit/secret-scan.test.ts
When no SonarQube server is configured, sonar integrate now installs secret scanning hooks without requiring a full SonarQube setup (secrets-only mode). This allows users to get secret scanning protection immediately, without needing a SonarQube account.
Pass --non-interactive flag to skip interactive auth prompt when running file scans (binary hangs on open stdin waiting for user input otherwise). Remove exit-code remap (1 -> 51): sonar-secrets v2.41 now returns 51 directly when secrets are found; exit 1 means a generic error.
kirill-knize-sonarsource
force-pushed
the
feature/CLI-37-CLI-41-no-auth-secrets
branch
from
5f1fb9d to
4a3a9e1
Compare
2 participants
No description provided.