Hi SonarSource team,
Here at GBG we’ve been looking at ways to deploy SonarQube in our delivery pipeline(s) for a PCI-DSS accredited software system, and recently discovered that SonarCloud does not have storage encryption in AWS. This is unfortunate as it means we cannot use SonarCloud (it would break our accreditation), instead we must manage our own instance(s) of SonarQube, adding to our costs and taking developers away from delivering value for us.
Given the ease of enabling storage encryption in AWS (for both raw S3, VM images in EC2, EBS, ECS, etc. Elasticsearch and all their cloud databases), I am surprised it isn’t already done.
Given the out-of-the-box integration available with AzureDevOps, Github, Bitbucket, all of which have encrypted storage by default, I am surprised. I also note that this lack of information protection is not mentioned in the security statement here: https://sonarcloud.io/documentation/security/
I would also note that we are not the first organisation to have encountered this issue:
Can the SonarCloud team seriously consider enabling AWS storage encryption across their platform please?
Phil Ashby, Architect, GBGplc.com