In our company we are currently experimenting with using a self hosted SonarQube community edition server linked with GitLab CI to run SonarScanner to improve our codebase.
Everything works perfectly but we have some questions regarding if SonarQube sends any source code data or any data whatsoever to SonarQube itself.
I tried finding it in documents hosted on the SonarQube website but I don’t seem to find anything.
Not an official response, but if you are running SonarScanner and configured it correct then you are sending the code to only your Sonarqube instance. The code will be stored there and can be accessed by everyone who has access to IP if you haven’t configured it.
If you are concerned with your security and code, you should setup authentication and create users and let only allowed users to access SQ instance and projects. Also, allowing only certain IP addresses will help.
Hi,
Welcome to the community!
@eraytufan’s answer may not be official, but it is excellent! 
SonarQube and SonarQube analysis do not send your code anywhere but to the database you’ve configured and control.
If you are concerned about the visibility of your code, the first step is to make sure your SonarQube server isn’t exposed on the internet at large. After that, you may want to turn on “force authentication”. And then you do want to implement project permissioning so that only those who should be able to can see the project. The docs should help.
Ann
P.S. Meant to add that SonarQube does send some very high-level, aggregate data home, such as which languages you use, and what DB flavor. The kind of data that helps us understand, E.G. what DB compatibility we need to maintain. You can opt-out of it if you like by twiddling a setting in your server config file.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.