Sonar doesn’t clone. Your pipeline does. In fact, the pipeline you set up controls all of this. Once a commit is detected, your pipeline should fetch and clone; (depending on the language) perform the build; and trigger analysis.
Sorry to be vague, but that really depends on the size and intricacy of your project
OK, so both the agent and the server has scanning capabilities?
So in the case where the scan happens on the server - I assume that means that the source code is transferred to the server? What happens with the source after the scan? Is it wiped, stored on the server or stored in the database? In parts, or full?
The reason for all these questions is that we are concerned about our source code; for security reasons we don’t want “unauthorized” copies of the source code floating around in our systems.
So we need to know how much of it is actually copied to the Sonar server, where it is stored and how we can clean up old stuff.
No. Scanning happens on the agent. At the end of analysis, an analysis report is bundled and submitted to the server. What happens server side is processing of the report, including computing project-level measures from all the file-level values in the analysis report, and storing values in the DB.
Yes, as part of the analysis report.
The current version of your source is stored in SonarQube to e.g. show issues in context. Only the code from the most recent analysis is stored. No manual cleanup of old versions needed.
This is a question of SonarQube-side permissions. No one without ‘Browse’ permission on the project will be able to see the source code.