Steps to reproduce
Context: SonarCloud paid plan linked with GitHub Enterprise Cloud organization
Login to SonarCloud with GitHub-non-admin user
Click on analyze new project and select your organizational context
You will see a list of all repositories in the chosen organization even though you don’t have access to them in GitHub (private organizational repositories)
Is this behavior expected? Can we do something about it?
I think it would make sense to assume that in SonarCloud one can analyze only projects they have already access to in GitHub.
By default on a new SonarCloud organization, the Create Projects permission is only assigned to Owners of that SonarCloud organization. When creating the project – the user is not authenticating direclty with GitHub, rather the SonarCloud application that was installed on your GitHub organization is.
So if the presence of certain repositories is sensitive, you’ll want to be careful about granting this permission.
Anything related to permissions after a project has been created can be dealt with via permission templates.
That was really quick! It makes sense, the SonarCloud app has access to all repositories indeed. In this case we will need to adjust our permission settings.
Thank you very much!