When integrating SonarCloud with Azure DevOps, what is being uploaded to SonarCloud? Program code or binary?
How does SonarCloud ensure the IP of my program code?
Thank you.
Hello Eddy,
Firstly, apologies for the late reply.
Any code you scan is sent to the SonarCloud server for analysis. Just the source code, there is no build.
The latest version of your scanned code remains in the secure SonarCloud database together with the analysis reports.
SonarCloud claims no intellectual property rights or licenses to your code. Please see the terms and conditions item 9 for more details: https://sonarcloud.io/terms.pdf
I hope this helps.
Kind regards,
Mark
1 Like
Hello Mark,
Thank you for your respond.
May I know how does SonarCloud protect the source code that is sent to SonarCloud server for analysis?
Is there any publication on that?
Also what is the location that the server resides?
Thank you.
Hello Eddy,
The SonarCloud application is hosted by AWS in Germany.
We take security very seriously to ensure your source code is safe. Your data is held in a secure database, inside a private subnet, in a virtual private cloud, protected by AWS and SonarCloud firewalls, and access is restricted to the SonarCloud operations team who are responsible for the smooth running of the service. These are trusted colleagues and not an outsourced service. Furthermore, you have total control over when this data is deleted by deleting your SonarCloud projects.
You can read more here: https://sonarcloud.io/documentation/security/
Kind regards,
Mark
Hello Mark,
Thank you for your prompt respond.
Understood that the data at rest is not encrypted and that poses a concern over administrator who has access to the database server would technically have access the client’s source code. This also poses risk of once the administrator credential are being compromised, the IP is gone with the hacker.
Would need to know how SonarCloud mitigate the above and who are the administrator having access to the database server.
Thank you.
Best regards,
Eddy
Hello Eddy,
This is the encryption dilemma, isn’t it? It’s great for stolen hardware but it’s role is weak for applications once credentials are acquired. The best way to guarantee security for the customer is to ensure only the customer has the key. Alas, SonarCloud can only analyse what it can read.
We limit access to 4 carefully chosen employees that have been subjected to a stringent selection process and a focused onboarding process. We all sit together and we trust them.
That said, your concerns are valid and your needs may be better satisfied by SonarQube.
Kind regards,
Mark
Hello Mark,
If I understand you correctly, only the customer and 4 chosen employees have access to the source code uploaded to SonarCloud server?
May I understand what is SonarCloud concern in encrypting data at rest?
Thank you.
Best regards,
Eddy
Hello Eddy,
We explain why we do not encrypt at rest here: https://sonarcloud.io/documentation/security/
Please can you let me know if this it not clear so I can adjust it.
Kind regards,
Mark
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.