Hiding / encrypting / avoid storing source code in SQ DB

[Isabelle Guimiot]

Hi everyone,

My company has a very few projects with source code classified as "secret" (financial institution...). There's already a strong security for those projects in git, and on every server that contains sources or binaries from those secret projects (encryption, ...)

My job is to bring all the projects of the company in SonarQube, but I have a big point with the secret projects : today, source code is clearly stored in the sonarqube database (MySQL), and the security teams is asking me to make sure that the source code cannot be seen by people outside the team.

I know there's a "code viewer" role, but I'm afraid it won't be enough, the database could probably be hacked. 

I found that discussion : http://sonarqube-archive.15.x6.nabble.com/How-do-I-tell-Sonar-to-not-store-the-source-code-in-the-database-td5028520.html , from 2014, but apparently the parameter sonar.importSources has vanished in the recent versions.

Today, in version 6.x, is there any way to either hide, encrypt, or avoid storing secret code in the sonarqube database ?

Thanks for your help !

Isabelle

[G. Ann Campbell]

Hi Isabelle,

There's not. There's only the permission to control access through the UI.

Ann

[Isabelle Guimiot]

Ok thanks, I'll try to find other solutions...

Isabelle