We have recently finished a successful Proof of Concept for SonarCloud and how it could be used to improve our quality processes.
Before proceeding our Security Manager has some specific queries that I do not believe are fully answered here: https://sonarcloud.io/documentation/appendices/security/
These are the points:
- Could the tool be configured not to push source code to the SonarCloud server?
[my understanding is that this is not possible]
- Who would have access to the source code? Are the activity logs monitored for appropriate support ticket linked activity only by SonarCloud userids?
And how do the admis access this data (e.g. only via Sonarcloud corporate VPN from corporate devices with MFA/conditional access?, and access blocked from other public internet?).
[it has been confirmed in the forum that MFA is mandatory for Operators]
- Could the source code be deleted manually after a scan? (If not configurable for automated removal after a scan).
[my understanding is that this is possible via deleting projects]
How will our source code be segregated/protected from other organisations’ users source code?
Can we also whitelist source IP ranges allowed access to the PRS instance on SonarCloud?