Questions regarding how SonarQube manages source code

Hi, we are just starting to look into SonarQube (Developer Edition Version 9.4) and have some questions about how SonarQube handles source code.

  • Assume we have a build machine with a Sonar scanner
  • we want to scan e.g. a certain branch in a Git repo

What we are not sure about is:

  • Does Sonar clone the entire Git repo, or is it just a shallow copy?
  • Where is the clone/copy stored, on the build machine or on the Sonar server?
  • From what we understand, older instances of the above clone/copy is automatically cleaned out. Correct?
  • The source code that is presented in the Sonar Server GUI, where is it stored? In its database?

Additional questions:

  • The actual scanning happens on the build machine, right? We assume this may be quite a resource consuming process?
  • The scan result is sent to the Sonar server where it’s further processed and presented, right?



Welcome to the community!

Sonar doesn’t clone. Your pipeline does. In fact, the pipeline you set up controls all of this. Once a commit is detected, your pipeline should fetch and clone; (depending on the language) perform the build; and trigger analysis.

Sorry to be vague, but that really depends on the size and intricacy of your project

Yes, exactly.


Thank you for the welcome and the swift reply.

OK, so both the agent and the server has scanning capabilities?
So in the case where the scan happens on the server - I assume that means that the source code is transferred to the server? What happens with the source after the scan? Is it wiped, stored on the server or stored in the database? In parts, or full?

The reason for all these questions is that we are concerned about our source code; for security reasons we don’t want “unauthorized” copies of the source code floating around in our systems.
So we need to know how much of it is actually copied to the Sonar server, where it is stored and how we can clean up old stuff.


No. Scanning happens on the agent. At the end of analysis, an analysis report is bundled and submitted to the server. What happens server side is processing of the report, including computing project-level measures from all the file-level values in the analysis report, and storing values in the DB.

Yes, as part of the analysis report.

The current version of your source is stored in SonarQube to e.g. show issues in context. Only the code from the most recent analysis is stored. No manual cleanup of old versions needed.

This is a question of SonarQube-side permissions. No one without ‘Browse’ permission on the project will be able to see the source code.