Hello SonarQube Community!
I’m evaluating version 8 of SonarQube at this moment, to specifically test the security related checks. I’ve spoken to a couple of developers about the way they deploy SonarQube. For certain projects, they explained they were using a Roslyn plug-in to communicate a custom ruleset (not focused on security) to SonarQube, before the analysis starts.
At first this seems quite devious to me, as they are not (directly) using the built-in rules of the Sonar Way quality profiles. In your opinion, is this an actual proper and valid way to deploy SonarQube effectively?
Thank you in advance for your reply.
Mitchell