I have a question regarding how i am implementing sonarqube and wanted to get some feedback on it…
I would like to be able to scan multiple (private) repositories on github and i was under the impression that i had to put sonarqube on the internet as an internet facing webpage. I did this however now I’m stuck because I’m not sure how to get the code on the actual sonarqube server but I’m also concerned with security. It appears that if I were to upload the code for analysis others people on the web may be able to see stats on my organization’s code which I do not want…can someone point me in the right direction? i have github repos that need analysis but must also remain secure…
Nope. It’s totally at your discretion whether or not your instance is public or private. The vast majority of instances are private.
The easiest thing to do is just start analyzing. Start here.
You have several layers available. First is the public/private instance question. Second, you can lock your instance down so that only authenticated users can enter. And third, you can lock individual projects down so that only certain users can see them (this is the ‘Browse’ permission).
And finally, I would be remiss if I didn’t mention SonarCloud, on which paid organizations can analyze private projects.
Thanks for the info ! much appreciated!