SonarCloud #vulnerability scanning

We are thinking of using Sonar Cloud service.
However we have a question about the security policy that are not answered on the posted security statement.
1.Do you have any implementation of vulnerability scanning on the server / infrastructure in the cloud service to be use, and your application?

Hello Lee,

Welcome to the community. And thank you for your interest in SonarCloud.

That’s very coincidental as I am just updating the security statement to cover this as it is a common question.

The SonarCloud application undergoes software composition analysis and vulnerability scanning on a daily basis as part of the core build. The source code is also subjected to rigorous static application security testing that is triggered on every pull request. The security quality gate requires a 100% pass rate for all code.

Infrastructure is scheduled for daily scanning on some instances and services and remains manual for others. We plan to automate these as we move to our target architecture.

Kind regards,

Thank you for your reply. It’s helpful.