I keep getting emails with the topic as subject, they say
”We identified that some of your projects linked to private source code repositories are currently set to “Public” visibility.”
This is confusing, as I am not aware of any private projects of mine using Sonar, in fact, only public ones should have sonar setup. I am unsure why I am receiving this, if I need to act, or what repositories it is talking about. I reached out to Sonar, and they said this was the place to get help with questions.
Why am I receiving this? How do I identify which repositories?
Best I can tell, I have archived repositories that used to be linked that have no current scans, and I could remove them I assume, but nothing private is linked to Sonar.
The email is triggered because our system detected a mismatch: The project is set to Public in SonarQube Cloud, but the underlying repository on your source control (e.g., GitHub/Azure) is set to Private. We flag this to ensure private code matches your project settings.
To answer your questions:
1. The “Archived” repos You hit the nail on the head. If you have archived repositories that are set to ‘Private’ on your DevOps platform but are still linked to SonarQube Cloud as ‘Public’ projects, they will trigger this one time effort notification. Even if they aren’t active, the system sees the potential configuration mismatch.
2. Do you need to act? I took a look at your organization, and it appears you are on our legacy Free plan (you can confirm this if you see a ‘Free (Legacy)’ label in your organization settings).
Because you are on the Legacy plan: This plan does not support private projects. Therefore, no changes were made to your visibility settings. You can safely disregard the email, it was an automated alert based on the repository status, but your project remains Public as it was before.
(Note: If you switch to our new Free plan in the future, the system would automatically secure any new projects by making them Private up to 50k lines of code if they are linked to a private repo).
I hope this clarifies things, and apologies for the confusion caused! Since your plan doesn’t support the ‘Private’ setting, this alert was effectively a false alarm for your specific case, likely triggered by the archived project.
