I have a quick question towards an investigation of SonarQube/SonarCloud in regards to the VSTS/AzDevOps plugin. I was trying to find information where in the pipeline the actual application gets scanned. My initial thought was that the code, after building, would be fully transmitted to the server for analysis. However, I cannot seem to find information to either confirm or deny that thought in the documentation.
Would anybody please be so kind to tell me:
- Where the VSTS plugin does the scan in, either on the SonarQube/Cloud server or the Build pipeline machine;
- If the full source code is transmitted to the corresponding server, and if not then what is send;
- Where the information for this is elsewhere documented.
Thanks for your time.