Security Statement

We know that your code is very important to you and your business. We also know that no one wants proven bugs or vulnerabilities found on their source code to be revealed to third parties. This is why we take security extremely seriously. Our security and governance program is focused on the security and privacy of your data. We are continuously assessing and improving our controls and associated processes by driving priorities through our Information Security Management framework.

SonarSource holds an ISO 27001 certificate at the company level. You can download the certificate and associated statement of applicability from our public Security Profile hosted by Whistic.

Hosting and resilience

SonarCloud is a SaaS solution deployed on a multi-tenant, shared-resource architecture and hosted by Amazon Web Services. SonarCloud is hosted primarily in the Frankfurt Region and occasionally, we use services located in the AWS Ireland Region when they are not available in Frankfurt.

Within each Region, SonarCloud services are spread across three Availability Zones. An Availability Zone consists of one or more discrete data centers having redundant power and networking. Availability Zones are physically distant from each other, in line with industry standards.

To ensure data availability, the SonarCloud databases are replicated in quasi-real-time to the two other availability zones within the Frankfurt Region. In the past, this setup has let SonarCloud handle a full Availability Zone outage in a transparent manner. In addition, the databases are fully backed up every day. To meet peak demand, our architecture is designed to provide rapid resource scalability.

You can view our current and historical service levels.

System security

SonarCloud uses its own Virtual Private Cloud (AWS VPC) and runs its workloads inside private networks behind firewalls.

Permissions to infrastructure resources are modeled through IAM policies. Secure tokens and devices are required for authentication. Secure protocols are required for access. Access to the infrastructure, including storage and databases, is restricted to the employees in our SonarCloud Operations team.

The system is subject to continuous logging, monitoring, and alerting to keep the support teams informed of operational, capacity, performance, and security issues.

Data security

To perform code analysis, report issues, decorate your source code, and provide metrics in the SonarCloud dashboard, your scan report containing your source code needs to be pushed to the SonarCloud server. We do not store all the source code from your repository, only the source code from your most recent scans.

At the infrastructure level, access to data is controlled by being hosted in network zones that only SonarCloud Operations has access to. The production environment is strictly separate from our development and testing environments.

SonarCloud databases, snapshots and backups are encrypted at rest, in all environments, with SonarSource managed keys. Logs are stored on protected S3 buckets and encrypted with AWS managed keys. The production environment is strictly separate from all non-production environments, such as our development and testing environments. Sensitive data is sanitized in a dedicated sanitization environment prior to use in any non-production environment.

At the software level, SonarCloud ensures private source code is accessible only to the members of your code repository platform organization, in addition to a few SonarCloud Operations team members for support purposes only. Furthermore, you can delete your project, and therefore source code and issue reports, from our system at any time. This is entirely under your control. Data may be held within the secure snapshot retention cycle for up to one year for legitimate purposes. To help us keep your code safe, please follow industry best practices for removing sensitive data, such as secrets, from your source code.

Software security

The SonarCloud platform, user interface, APIs and authentication mechanisms regularly pass penetration testing conducted by external companies, specializing in cyber and application security. We run these at a minimum twice per year. The latest reports can be downloaded from our public Security Profile.

Software change at SonarSource is delivered through a rigorous CI/CD pipeline with mandatory gates at each stage, segregated code peer reviews and approval, and high visibility of the changes being delivered. The SonarQube application undergoes Software Composition Analysis and vulnerability scanning as part of the core build. The source code is subjected to rigorous static application security testing that is triggered on every pull request. The security quality gate requires a 100% pass rate. Our software vulnerability management, dependency scanning, and quality processes adhere to the requirements to be accepted by Iron Bank. Iron Bank is the DoD repository of digitally signed, binary container images including both Free and Open-Source Software (FOSS) and Commercial off-the-shelf (COTS).

In case you find a vulnerability, please follow our Responsible Vulnerability Disclosure process to report it to our security team.

Communications

All communications across the public network are secure and require using version 1.2 of the TLS protocol (older versions 1.0 and 1.1 are denied):

  • Navigating in the web application
  • Using web server APIs
  • Running analysis (by the scanners) from CI services and pushing analysis reports to SonarCloud

SonarCloud Webhooks

You can use secrets to secure webhooks and ensure they are coming from SonarCloud (see the "Securing your webhooks" section of the Webhooks page for more information).

Authentication

Primary authentication on the system is available through the SonarCloud GitHub application and OAuth authentication with Bitbucket Cloud, Microsoft Azure DevOps, and GitLab. As a consequence, users don't have a password specific to SonarCloud itself but are protected to the level provided by the code repository platform (especially with 2FA activated on those systems).

For WS API calls or source code analysis triggered from CI services, only revocable user tokens are accepted.

Business Continuity

In addition to our proven infrastructure resilience, we are also organized by design to ensure our business continues to operate well in the event of a major disruption. Our teams are located across two continents and four countries - Switzerland, France, Germany, and the USA, and our technology infrastructure allows for flexible remote working. During the recent pandemic, this has recently been subjected to the ultimate test with great success.

Application and database upgrades are all performed using the blue/green deployment method making the SonarCloud change process transparent to our customers. On the occasion a deployment requires a planned outage, we provide notification to our customers through the community forum and the SonarCloud status page. You can subscribe here to receive communications.

Payment

When you subscribe to the paid plan on SonarCloud, your credit card information never transits through our system nor does it get stored on our server. It's handed off to Braintree Payment Solutions, a company dedicated to storing your sensitive data on PCI-Compliant servers.

Third-party relationships

SonarCloud is hosted by AWS and our payments are managed by Braintree. We do not use third parties for development and support. Our developers and operations team are all part of the SonarSource family. We are all SonarSourcers.


image description

© 2008-2022, SonarCloud by SonarSource SA. All rights reserved.