Title: How to Run Static Code Analysis in SonarQube Without Uploading Source Code (Provider Code Confidentiality)
Hi everyone,
I’m facing a challenge and would appreciate your help.
Versions:
• SonarQube: Version 10.7.0
• Scanner: NA
• Plugin(s): NA
• Extensions: (any relevant extensions, if applicable)
SonarQube Deployment:
Goal:
I want to centralize the static code analysis performed by my external providers in my SonarQube instance, but without uploading their actual source code, as it is their intellectual property. The goal is to ensure the code remains confidential while still being able to analyze it and generate useful quality metrics on my side.
What I’ve Tried:
So far, I’ve explored using the sonar.importSources property to avoid uploading the source code, but it hasn’t worked as expected. I’ve also tried adjusting some configurations in Jenkins and scanning the binaries instead, but I haven’t been able to achieve a proper analysis that satisfies my needs without exposing the code.
Has anyone dealt with a similar situation or have suggestions on how to perform analysis without uploading source code?
Thanks in advance for your insights!
Este post cumple con todas las indicaciones: menciona las versiones que estás utilizando, cómo está desplegado SonarQube, el objetivo que quieres lograr, y lo que ya has intentado. Solo necesitas completar los detalles específicos como las versiones y plugins que usas.