I have a quick question towards an investigation of SonarQube/SonarCloud in regards to the VSTS/AzDevOps plugin. I was trying to find information where in the pipeline the actual application gets scanned. My initial thought was that the code, after building, would be fully transmitted to the server for analysis. However, I cannot seem to find information to either confirm or deny that thought in the documentation.
Would anybody please be so kind to tell me:
Where the VSTS plugin does the scan in, either on the SonarQube/Cloud server or the Build pipeline machine;
If the full source code is transmitted to the corresponding server, and if not then what is send;
Where the information for this is elsewhere documented.
The individual analysis rules are run on the Build pipeline machine. Metrics about the code are also collected on the build machine (e.g. lines of code). The issues and metrics are sent to SonarQube/Cloud, which then does some further processing and aggregation. However, most of the work is done on the build machine.
The full source code is sent to server to support the browsing experience in SonarQube/Cloud e.g. being able to drill down from the dashboard to see the line of code that caused a particular issue.
You can set permissions to control who can see the analysis results and browse the source code - see How do I lock down permissions on a project?.
I don’t know if this information is explicitly stated in a single place; it’s implicit in various bits of the documentation.
Note that the info above relates to specifically to the Azure DevOps extensions for SonarQube/Cloud: the new AutoScan feature of SonarCloud obviously behaves differently.