I’m evaluating SonarQube/SonarCloud for my company. I’ve been told to ask about SOC2 compliance and SSO access.
Specifically:
Does SonarCloud have any SOC2 compliance, or other similar quality compliance? If not, exactly how much data is shared with SonarCloud servers?
Is it possible to control access to a company SonarCloud account via a custom company SSO? We would want to allow a non-trivial number of people to view analysis results (basically the whole engineering team), but we would need a central point of revocation when someone leaves.
Does SonarCloud have any SOC2 compliance, or other similar quality compliance? If not, exactly how much data is shared with SonarCloud servers?
SonarCloud does not have SOC 2. We are considering it for 2023. We have ISO 27001 at the Company level and we are in Y2, so mature. You can read more about the data we store here.
Is it possible to control access to a company SonarCloud account via a custom company SSO? We would want to allow a non-trivial number of people to view analysis results (basically the whole engineering team), but we would need a central point of revocation when someone leaves.
This is not supported. All authentication is through your chosen DevOps platform. GitHub has SSO. You can read about the authentication mechanisms available here.
Mark_Clements - As Sonarcloud does not presently have a SOC2, we need to send a security questionnaire for completion to your team. Please let me know to whom I may send the request for completion. Regards, Myles T.