There’s a high-level architecture diagram on the homepage of the docs, but I doubt it’s what you’re looking for. As I said, we just don’t keep this lying around.
If you’re worried about the code being sent somewhere during analysis, it does get sent to the SonarQube server at the end of the analysis, but only there and nowhere else. Scan the network traffic during analysis if you want to verify that.
Regarding what actually happens during analysis, try turning on debug logging with -Dsonar.log.level=DEBUG on the analysis command line (docs) and you’ll learn far more than you ever cared to about what goes on.
The architecture shows only the external workflow how Sonarscanner works which is pretty straight forward. I am bit worried and eager to know more on how sonar analyzers and tool associated with it is scanning each rule set of Sonarqube against the code to be scanned and producing metrics based on the outcome of the analysis.
Also on the code movement part, do our entire codebase is copied to SonarQube post analysis? If is it so, what is the data security policies we are offering ?
What is the guarantee that our code is secured? Also is there any retention policy of destroying/removing old codes?
Will the code moved to SonarQube will be removed once analysis is completed? or only metrics will be backed up?
Your SonarQube instance is entirely self-managed, so the security is up to you. New instances require authentication by default. I would leave that on if I were concerned about security. Additionally, you may not want to expose your SonarQube instance to the internet.
Each project’s code will be present in SonarQube for as long as the project is. If you want to remove a project’s code from SonarQube, simply delete the project. But of course by doing that, you’ll lose all the findings on the project as well.