We are using current version of SonarQube Dev edition.
I’m thinking about how we provide evidence of security compliance, fo example we have some rules to detect keys/tokens in code.
I assume that updates to code will get scanned. But my questions are:
- Is a baseline established (so keys/tokens are found in existing code)?
- Assuming only changes are scanned, is it possible to re-scan the project? Like if a new rule is added or an existing one changed?