urlscan.io logo urlscan.io
SecurityTrails logo

docs.sonarcloud.io Open in urlscan Pro
2600:1f18:2489:8201:3ada:8ec1:fc99:5061  Public Scan

Back to summary
URL: https://docs.sonarcloud.io/appendices/security-statement/
Submission: On June 23 via manual from US — Scanned from US

Form analysis 1 forms found in the DOM

<form novalidate="" class="ais-SearchBox-form" action="" role="search"><input type="search" placeholder="Search for pages or keywords" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" required="" maxlength="512" value=""
    class="ais-SearchBox-input"><button type="submit" title="Submit your search query." class="ais-SearchBox-submit"><svg class="ais-SearchBox-submitIcon" xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 40 40">
      <path
        d="M26.804 29.01c-2.832 2.34-6.465 3.746-10.426 3.746C7.333 32.756 0 25.424 0 16.378 0 7.333 7.333 0 16.378 0c9.046 0 16.378 7.333 16.378 16.378 0 3.96-1.406 7.594-3.746 10.426l10.534 10.534c.607.607.61 1.59-.004 2.202-.61.61-1.597.61-2.202.004L26.804 29.01zm-10.426.627c7.323 0 13.26-5.936 13.26-13.26 0-7.32-5.937-13.257-13.26-13.257C9.056 3.12 3.12 9.056 3.12 16.378c0 7.323 5.936 13.26 13.258 13.26z">
      </path>
    </svg></button><button type="reset" title="Clear the search query." class="ais-SearchBox-reset" hidden=""><svg class="ais-SearchBox-resetIcon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" width="10" height="10">
      <path d="M8.114 10L.944 2.83 0 1.885 1.886 0l.943.943L10 8.113l7.17-7.17.944-.943L20 1.886l-.943.943-7.17 7.17 7.17 7.17.943.944L18.114 20l-.943-.943-7.17-7.17-7.17 7.17-.944.943L0 18.114l.943-.943L8.113 10z"></path>
    </svg></button></form>

Text Content

 * 

 * Help

Documentation



DOCUMENTATION HOMEPAGE


DISCOVERING SONARCLOUD


GETTING STARTED


IMPROVING YOUR CODE


ENRICHING YOUR ANALYSIS


MANAGING YOUR ORGANIZATION


MANAGING YOUR SUBSCRIPTION


SETTING YOUR STANDARDS


ADVANCED SETUP


DIGGING DEEPER


APPENDICES


FREQUENTLY ASKED QUESTIONS


TROUBLESHOOTING


BITBUCKET CLOUD INTEGRATION


GITHUB CODE SCANNING ALERTS


GLOSSARY


KEYBOARD SHORTCUTS


ANNOUNCEMENTS


SCANNER ENVIRONMENT


PRIVACY POLICY


SECURITY STATEMENT


PROJECT INFORMATION


INDIRECT TAXES


SECURITY STATEMENT

We know that your code is very important to you and your business. We also know
that no one wants proven bugs or vulnerabilities found on their source code to
be revealed to third parties. This is why we take security extremely seriously.
Our security and governance program is focused on the security and privacy of
your data. We are continuously assessing and improving our controls and
associated processes by driving priorities through our Information Security
Management framework.

SonarSource holds an ISO 27001 certificate at the company level. You can
download the certificate and associated statement of applicability from our
public Security Profile hosted by Whistic.


HOSTING AND RESILIENCE

SonarCloud is a SaaS solution deployed on a multi-tenant, shared-resource
architecture and hosted by Amazon Web Services. SonarCloud is hosted primarily
in the Frankfurt Region and occasionally, we use services located in the AWS
Ireland Region when they are not available in Frankfurt.

Within each Region, SonarCloud services are spread across three Availability
Zones. An Availability Zone consists of one or more discrete data centers having
redundant power and networking. Availability Zones are physically distant from
each other, in line with industry standards.

To ensure data availability, the SonarCloud databases are replicated in
quasi-real-time to the two other availability zones within the Frankfurt Region.
In the past, this setup has let SonarCloud handle a full Availability Zone
outage in a transparent manner. In addition, the databases are fully backed up
every day. To meet peak demand, our architecture is designed to provide rapid
resource scalability.

You can view our current and historical service levels.


SYSTEM SECURITY

SonarCloud uses its own Virtual Private Cloud (AWS VPC) and runs its workloads
inside private networks behind firewalls.

Permissions to infrastructure resources are modeled through IAM policies. Secure
tokens and devices are required for authentication. Secure protocols are
required for access. Access to the infrastructure, including storage and
databases, is restricted to the employees in our SonarCloud Operations team.

The system is subject to continuous logging, monitoring, and alerting to keep
the support teams informed of operational, capacity, performance, and security
issues.


DATA SECURITY

To perform code analysis, report issues, decorate your source code, and provide
metrics in the SonarCloud dashboard, your scan report containing your source
code needs to be pushed to the SonarCloud server. We do not store all the source
code from your repository, only the source code from your most recent scans.

At the infrastructure level, access to data is controlled by being hosted in
network zones that only SonarCloud Operations has access to. The production
environment is strictly separate from our development and testing environments.

SonarCloud databases, snapshots and backups are encrypted at rest, in all
environments, with SonarSource managed keys. Logs are stored on protected S3
buckets and encrypted with AWS managed keys. The production environment is
strictly separate from all non-production environments, such as our development
and testing environments. Sensitive data is sanitized in a dedicated
sanitization environment prior to use in any non-production environment.

At the software level, SonarCloud ensures private source code is accessible only
to the members of your code repository platform organization, in addition to a
few SonarCloud Operations team members for support purposes only. Furthermore,
you can delete your project, and therefore source code and issue reports, from
our system at any time. This is entirely under your control. Data may be held
within the secure snapshot retention cycle for up to one year for legitimate
purposes. To help us keep your code safe, please follow industry best practices
for removing sensitive data, such as secrets, from your source code.


SOFTWARE SECURITY

The SonarCloud platform, user interface, APIs and authentication mechanisms
regularly pass penetration testing conducted by external companies, specializing
in cyber and application security. We run these at a minimum twice per year. The
latest reports can be downloaded from our public Security Profile.

Software change at SonarSource is delivered through a rigorous CI/CD pipeline
with mandatory gates at each stage, segregated code peer reviews and approval,
and high visibility of the changes being delivered. The SonarQube application
undergoes Software Composition Analysis and vulnerability scanning as part of
the core build. The source code is subjected to rigorous static application
security testing that is triggered on every pull request. The security quality
gate requires a 100% pass rate. Our software vulnerability management,
dependency scanning, and quality processes adhere to the requirements to be
accepted by Iron Bank. Iron Bank is the DoD repository of digitally signed,
binary container images including both Free and Open-Source Software (FOSS) and
Commercial off-the-shelf (COTS).

In case you find a vulnerability, please follow our Responsible Vulnerability
Disclosure process to report it to our security team.


COMMUNICATIONS

All communications across the public network are secure and require using
version 1.2 of the TLS protocol (older versions 1.0 and 1.1 are denied):

 * Navigating in the web application
 * Using web server APIs
 * Running analysis (by the scanners) from CI services and pushing analysis
   reports to SonarCloud


SONARCLOUD WEBHOOKS

You can use secrets to secure webhooks and ensure they are coming from
SonarCloud (see the "Securing your webhooks" section of the Webhooks page for
more information).


AUTHENTICATION

Primary authentication on the system is available through the SonarCloud GitHub
application and OAuth authentication with Bitbucket Cloud, Microsoft Azure
DevOps, and GitLab. As a consequence, users don't have a password specific to
SonarCloud itself but are protected to the level provided by the code repository
platform (especially with 2FA activated on those systems).

For WS API calls or source code analysis triggered from CI services, only
revocable user tokens are accepted.


BUSINESS CONTINUITY

In addition to our proven infrastructure resilience, we are also organized by
design to ensure our business continues to operate well in the event of a major
disruption. Our teams are located across two continents and four countries -
Switzerland, France, Germany, and the USA, and our technology infrastructure
allows for flexible remote working. During the recent pandemic, this has
recently been subjected to the ultimate test with great success.

Application and database upgrades are all performed using the blue/green
deployment method making the SonarCloud change process transparent to our
customers. On the occasion a deployment requires a planned outage, we provide
notification to our customers through the community forum and the SonarCloud
status page. You can subscribe here to receive communications.


PAYMENT

When you subscribe to the paid plan on SonarCloud, your credit card information
never transits through our system nor does it get stored on our server. It's
handed off to Braintree Payment Solutions, a company dedicated to storing your
sensitive data on PCI-Compliant servers.


THIRD-PARTY RELATIONSHIPS

SonarCloud is hosted by AWS and our payments are managed by Braintree. We do not
use third parties for development and support. Our developers and operations
team are all part of the SonarSource family. We are all SonarSourcers.







ON THIS PAGE

Hosting and resilienceSystem securityData securitySoftware
securityCommunicationsSonarCloud WebhooksAuthenticationBusiness
ContinuityPaymentThird-party relationships

© 2008-2023, SonarCloud by SonarSource SA. All rights reserved.

News - Twitter - Terms - Pricing - Privacy - Security - Community - Contact us -
Status - About