Allow Anyone to view Projects without SourceCode

I would like to show all SonarQube projects to anyone in my company but not show the Sourcecode.
SonarQube is only accessible via internal Network/VPN.
Sourcecode should only be shown to specific user group.

Unfortunately I can’t disable “See Source Code” permission on public projects and on private projects I can’t grant “Browse” permission to anyone.
Not sure why such restrictions exist.

Is there any way to achieve what i need?

  • Developer Edition Version 8.6 (build 39681)

Hey there.

Marking the project as “private” but granting Browse permissions to the sonar-users group will effectively allow anybody who authenticates to SonarQube to browse the project but not see source code.

That is true but I would need it also for unauthenticated users to be able to browse.

  • Projects should be directly visible and browseable without authentication

  • Some dashboard or results are embedded in confluence pages without any means for authentication

In that case, unfortunately there’s not an option that both allows unauthenticated users Browse access and also restrict seeing source code.

Okay. Would it make sense to suggest it as a feature or is it for some reason not wanted to allow this option?

By default, unauthenticated access is not allowed (sonar.forceAuthentication has a default value of true in new installs of the latest versions of SonarQube) and we consider it to be the best security practice. It would be a tough sell. However, there are also whispers about removing the distinction between public/private projects in SonarQube altogether and just have the private project permissions available to all projects. The topic isn’t dead. :slight_smile:

Out of curiosity – in general (in all cases other than SonarQube) is browsing source code restricted to one user group? My (admittedly a few years ago) experience in Enterprise IT was that once you were behind the VPN, the repos (in Azure DevOps) were open to everyone.

I would also vote for removing the difference between private and public.
But it should still be possible to give permission for Anonymous/Anyone
(By default these permissions are not granted).
So you get best of both worlds: Better security by default and more flexibility when required.

On our side source code viewing is usually restricted by user group. But we also have public projects (inside VPN).