SonarQube + Scanners in air-gapped environment?

This is a pre-purchase type question, if there is a better category/forum please advise.

I am looking to scan C++ code primarily plus some Java, to do so I am looking at the developer edition of SQ. The issue I have is the environment on which SQ and SC will be installed is totally air-gapped. There is absolutely zero internet connectivity and zero connectivity in to the environment from the larger network.

Given that I will be using a licensed version of SQ, is this at all possible? My concern is that SQ will try to reach an external licensing server to validate itself and this will not be possible, hence SQ will refuse to work.

There will of course be network connection between the SonarScanner machine and the SonarQube server but to clarify, under no circumstances will there be any sort of connection from this environment to any other network and I will not be able to bypass this - eg in the case of firewall rules etc… this is an intentional, physical limitation.

Any ideas if this is possible?

Hi Chris, welcome to the SonarSource Community!

Our license mechanism doesn’t rely on internet connectivity. The only mechanism in SonarQube which would attempt internet connectivity by default is our marketplace/update checking, which you can disable as part of your SQ configuration.

We have plenty of customers who run SQ in an air-gapped environment. I’d encourage you to request an evaluation so you can prove it for yourself and also have the opportunity for presales support from our team.

Hi. I was searching the internet for this exact information. I just have a follow-on question. What is the best method to update the vulnerabilities database in an air-gapped environment?

Hi @fernandezkrs ,

Updates to the scan rules are included in each version update for SonarQube. So as long as you keep your version up to date, you’ll benefit from updated scan rules.