We have successfully integrated SonarQube into our build pipelines on Azure DevOps and have used a developer's account to generate a PAT for pull request decoration. The problem is now that the developer's account is posting comments across all our repos on different Pull Requests. It seems the alternative is to create a whole new user titled 'SonarQube' (or similar) in our Active Directory and generate a new PAT to do this, which seems overkill. Any alternative options would be appreciated.
Creating a separate identity that would belong to SonarQube is the only option. The identity posts the comments using the DevOps API where the PAT is the only identification of the identity.
Using a developer's account for PR decoration not only feels strange when reading the comments, but it is also fragile. When the developer leaves the company, their account will be terminated and suddenly, PR decoration will break and it may not be immediately clear why. Also, the developer could revoke the PAT at any time by mistake. In a larger organization, no single developer will have the right to comment on pull requests everywhere, so multiple developer accounts will be in use, which makes the configuration even more complex and fragile.