Any restrictions on running scans for a customer on SonarQube Community?

best-practices

(Andrew Davis) #1

We use SonarQube Community Edition to do quality scanning of the work that we do. Is it OK to run “health check” scans on the codebase of potential customers so that we can share areas for possible improvements in their code? Any restrictions on using the SonarQube API to aggregate that information into another tool we use to do “health check” assessments?


(Nicolas Bontoux) #2

Hi Andrew,

I feel like your question is more compliance/regulatory related, than purely about the product. SonarQube is an-premise product with which you can analyse any project you can build. Whether you’re allowed to do such operations with code you do not own, seems more like something to discuss with your contacts/providers.

If the intent is to understand the quality of software you’re considering, one starting point could be to just ask them if they use tools like SonarQube to ensure code quality, and if they’ve got any report to transparently share.


(Andrew Davis) #3

Thanks for your response @NicoB. We have (or would receive) approval from the customer’s side for this. We just want to make sure there are no restrictions from SonarQube’s side to our presenting information from our SonarQube scans to customers, and integrating scan information using the API into a system that we use to perform “health checks” on customer codebases. We would make clear that SonarQube is being used on the backend to perform the scan.