I would like to show all SonarQube projects to anyone in my company but not show the Sourcecode.
SonarQube is only accessible via internal Network/VPN.
Sourcecode should only be shown to specific user group.
Unfortunately I can’t disable “See Source Code” permission on public projects and on private projects I can’t grant “Browse” permission to anyone.
Not sure why such restrictions exist.
Marking the project as “private” but granting Browse permissions to the sonar-users group will effectively allow anybody who authenticates to SonarQube to browse the project but not see source code.
By default, unauthenticated access is not allowed (sonar.forceAuthentication has a default value of true in new installs of the latest versions of SonarQube) and we consider it to be the best security practice. It would be a tough sell. However, there are also whispers about removing the distinction between public/private projects in SonarQube altogether and just have the private project permissions available to all projects. The topic isn’t dead.
Out of curiosity – in general (in all cases other than SonarQube) is browsing source code restricted to one user group? My (admittedly a few years ago) experience in Enterprise IT was that once you were behind the VPN, the repos (in Azure DevOps) were open to everyone.
I would also vote for removing the difference between private and public.
But it should still be possible to give permission for Anonymous/Anyone
(By default these permissions are not granted).
So you get best of both worlds: Better security by default and more flexibility when required.
On our side source code viewing is usually restricted by user group. But we also have public projects (inside VPN).