Must-share information (formatted with Markdown):
I would like to understand, since i’ve implemented SonarQube in our pipelines,
what does it mean in terms of security.
I have installed the SonarQube in local Ubuntu machine with PostgreSQL,
and added the relevant extensions in Azure DevOps,
but how do i make sure that these are not exposing my code?
Asking because i am using the SonarQube community edition, but im not sure about the licenses,
the agreements etc.
Hi,
Welcome to the community!
There are two levels of security here:
Are your projects public within SonarQube? I.e. can unauthenticated users access them and see their source code. If security is a concern, you should make sure this is not the case.
Honestly, that should take care of it, but to be double-sure, make sure your SonarQube isn’t exposed on the Internet - that only the folks on your network who should have access do have access.
To ease your mind on this point, we don’t restrict security to paid versions. Everyone on every edition has the benefit of the same security.
HTH,
Ann
Thank you Ann, got ya…!