I am trying to use Bitnami Sonarqube Image for setting up Sonarqube Code Analysis on my Azure Build Pipeline for a Azure Git Repository.
While doing so we understand that the SourceCode will be extracted from Azure Git repo for analysis. Now my question is how and where the Sourcecode will be saved/shared for running the analysis. Is there any Security Clause that speaks about the Source Code not been moved elsewhere out of our Azure devops environment?
Can you please provide us more insight on this aspect to understand the Safety and Security of our SourceCode?
To analyze, you have to check the code out to the machine on which you will perform analysis. As part of analysis, the code is sent to the SonarQube server and stored in SonarQube’s database. Presumably you control all of those machines as well as the network between them.
SonarQube does phone home some very high-level telemetry data, such as total lines of code on the server, database flavor and version, and languages in use. (I don’t think this list is exhaustive.) You can turn that off. I believe that’s in the server properties file. At no time is anything lower-level than broad aggregation ever phoned home. The data set does not include anything about individual projects and never any code.
Thank you so much.
I tried to figure out turning off the option based on your statement “You can turn that off. I believe that’s in the server properties file”. But i failed in identifying this option in Sonarqube Server Settings. Can you please provide a screenshot or mention in detail where i can find it out?
Note: We are using Bitnami Sonarqube Image for Azure devops.
