We are using SonarCloud with GitHub.com Enterprise. Unfortunately there is a big concern with regards to email notifications as many of our employees use a personal email address with GitHub notifications going to their company email for anything related to the organization.
SonarCloud is both aware of our GitHub account and GitHub organization but somehow for notifications it only sees our personal emails and not our organization emails. There is no apparent option for us to override that either.
This is a security concern since we do not want SonarCloud emails to to non-company email addresses?
If I understand correctly, each employee has a Github account with two emali addresses: one personal and one from the company. The company email is the one that receive GitHub notification. Is that correct?
Currently SonarCloud only use one email address form Github accounts: the primary one.
So here’s a ticket to track support of multiple email addresses: SCCOMM-6. Note that GitHub doesn’t tell us which email addresses is used to send notification, so even if we add support for multiple email addresses, users would still have to manually select the correct one on SonarCloud.
And until this ticket is implemented, the only workaround I see is to set the company email as the primary one on GitHub. Then simply logout and login from SonarCloud, and the new primary email address will be use to send email notifications.
That is correct. Many of our of users end up with notifications in non-company mailboxes and this is a problem. We’ll keep an eye on that ticket but even when it gets implemented it might not be sufficient. We’ll contact GitHub to see if they can expose which email address is associated with an organisation since they solved that issue internally on their side.
For security and compliance reasons we need to disable all SonarCloud email notifications until we can enforce that all emails go to @.com. Is it possible to do so?
I got in touch with the support team for GitHub.com Enterprise and they told me that the email address per organization should be available to SonarSource. This is actually working for other third party services we have integrated with our GitHub organization.
While SCCOMM-6 might take a while to implement, is there a way to disable email notifications?
The workaround to switch the primary email address of personal GitHub accounts is not an option for many users since GitHub notifications for their projects outside work would now show up in their work mailbox.
By any chance did they tell you with which endpoint we could get this information? I can’t find an endpoint that returns the email per org from their api docs (if you don’t that’s fine, I’ll ask them)
Yes, you can disable notifications from the profile settings page (link). Each user has to disable notifications for himself/herself, you cannot currently disable notifications at organization level.
I see that the ticket was closed but with no explanation as to why. Having Sonar send email notifications to personal accounts is not ideal, especially for a paid product.