When I scan my project on SonarQube, will my code get public? I am using the Community edition. There is a setting which says I can make my project private, does that ensure that my code will not be public at any point?
Security of our code is of utmost important to us and we’d like to know before we start using the tool, that it will be secure and not prone to getting public.
If there are any other suggestions/settings that would help us in achieving this then do let me know.
Making your project private is a good first step. If your project is private, then you’ll need to log in to an account with permissions before you can see the project.
You’ll also want to make sure
your SonarQube instance isn’t exposed to the internet
the default admin credentials (admin/admin) have been changed. There’s an automatic prompt on first login starting with 8.6, but you didn’t mention your version.
your SonarQube instance isn’t exposed to the internet
I mean I can definitely understand the idea behind this @ganncamp but if you are e.g. using Azure DevOps hosted build agents you kinda have to expose your instance to the internet. And if all projects are private (by default) and you have to login anyways, you should be fine, no?
So as @RobCo mentioned, the scenario wherein the instance will be kinda exposed to the internet, ‘Force user authentication’ should still help with the security of the code, right?
we have exposed our SonarQube server to the internet (Azure DevOps hosted agents need access), forced user authentication (we are using AAD) and set the default visibility of new projects to private (Administration → Projects → Management):