diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 4c77ad6c7..78b71452c 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -8,9 +8,33 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened ]
 jobs:
+  check-sonar-token:
+    name: Check SonarQube token
+    runs-on: ubuntu-latest
+    permissions: {}
+    outputs:
+      has-sonarqube-token: ${{ steps.check-token.outputs.has-sonarqube-token }}
+    steps:
+      - name: Check SonarQube token
+        id: check-token
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          if [ -n "$SONAR_TOKEN" ]; then
+            echo "has-sonarqube-token=true" >> "$GITHUB_OUTPUT"
+            echo "SONAR_TOKEN secret is set."
+          else
+            echo "has-sonarqube-token=false" >> "$GITHUB_OUTPUT"
+            echo "SONAR_TOKEN secret is not set."
+          fi
+
   build:
     name: Build and analyze
+    needs: check-sonar-token
+    if: ${{ needs.check-sonar-token.outputs.has-sonarqube-token == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
@@ -40,7 +64,7 @@ jobs:
         run: mvn -f backend/pom.xml clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=BBMRI-ERIC_negotiator -DskipTests=true
 
       - name: Scan Frontend
-        uses: SonarSource/sonarqube-scan-action@v7
+        uses: SonarSource/sonarqube-scan-action@c7ee0f9df90b7aa20e8dcf9695dcfe2e7da5b4f2 # v7.2.1
         with:
           projectBaseDir: frontend
         env: