AI Codefix : management of code analyzed : where is it sent? is it stored?

Hi,

We are using Sonarqube 10.8 with an Enterprise license, and we would like to use the AI ​​CodeFix feature on our projects.
But the code is our company’s property (it is not open source), and we must therefore control what happens to it when it is used by an AI.
Can you give me details on the sending of the analyzed code: where are the servers that analyze the code geographically located, is the analyzed code saved on these servers?
In addition, does the AI ​​first analyze the entire source code of the project and store the result on a remote server?
And any other information that could be useful on this management of the code by the AI. :slight_smile:

Thank you

Julien

Hi @Ricetrac and thank you for your patience while we answered the question.

What happens when an AI CodeFix is requested for an issue is (from a helicopter view) roughly this:

  • We take source file containing the issue and send it from the SonarQube Server to the AI CodeFix service which is located in Europe and managed by Sonar. (Note that this year we will be working on having a deployment in the US as well)
  • We build a prompt based on the type of issue, the source file and some other information and send it from the AI CodeFix service to OpenAI servers. The prompt (which also contains source code with the issue) we send is not stored on OpenAI servers as that is granted by the license agreement.
  • We process the response from OpenAI, build an appropriate CodeFix suggestion and send it from the AI CodeFix service to the SQ Server instance.
  • Neither the request and source code, nor the response is stored on the AI CodeFix service side.
  • At any point, we do not send the entire source code of the project.

I hope that it clarifies the process for you and answers the question.

Best,

Vojtech