diff --git a/Jenkinsfile b/Jenkinsfile
index da57196d8878..c93d1c53a5fc 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -43,13 +43,14 @@ node('ubuntu') {
     timeout(time: 1, unit: 'HOURS') {
       withEnv(["Path+JDK=$JAVA_JDK_17/bin","JAVA_HOME=$JAVA_JDK_17"]) {
         def JVM_ARGS = "-XX:+UseG1GC -Xmx1536m -XX:MaxMetaspaceSize=512m"
-        // SONAR_TOKEN is a secret and can't be interpolated in a Groovy string for security measures,
-        // see https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#interpolation-of-sensitive-environment-variables
         def COMMON_ARGS = """
             build --no-parallel --no-daemon jacocoAggregateTestReport \
             sonar -PenableJacoco -Porg.sonarqube.version=4.4.1.3373 \
             -Dorg.gradle.jvmargs='${JVM_ARGS}' \
+            -Dsonar.token=\$SONAR_TOKEN \
         """.trim()
+        def FULL_COMMAND
+
         withCredentials([string(credentialsId: 'SONARCLOUD_TOKEN', variable: 'SONAR_TOKEN')]) {
           if (env.BRANCH_NAME.startsWith("PR-")) {
             def PR_ARGS = """
@@ -57,11 +58,18 @@ node('ubuntu') {
                -Dsonar.pullrequest.base=${CHANGE_TARGET} \
                -Dsonar.pullrequest.key=${CHANGE_ID} \
             """.trim()
-            sh "./gradlew ${COMMON_ARGS} ${PR_ARGS} -Dsonar.token=${SONAR_TOKEN}"
+            FULL_COMMAND = "./gradlew ${COMMON_ARGS} ${PR_ARGS}"
           } else {
-            sh "./gradlew ${COMMON_ARGS} -Dsonar.branch.name=${BRANCH_NAME} -Dsonar.token=${SONAR_TOKEN}"
+            FULL_COMMAND = "./gradlew ${COMMON_ARGS} -Dsonar.branch.name=${BRANCH_NAME}"
           }
         }
+
+        // to avoid problems with Groovy's interpolation for secrets
+        withEnv(["SONAR_TOKEN=${SONAR_TOKEN}"]) {
+            sh """
+                ./gradlew ${FULL_COMMAND}
+            """
+        }
       }
     }
   }