Sonar has implemented a continuously advancing and improving security practice. We hold an ISO 27001:2022 certification at the company level. You can download the certificate and associated statement of applicability from our public Security Profile hosted at Whistic.
Software Security
Our software development lifecycle incorporates OWASP's industry-recommended practices for producing secure code and extended testing to ensure a safe product. Software change at Sonar is delivered through a rigorous Continuous Integration/Continuous Deployment pipeline with mandatory gates at each stage, segregated code peer reviews and high visibility of the changes being delivered.
SonarQube for IDE, SonarQube Cloud and SonarQube Server all undergo software composition analysis and vulnerability scanning as part of the core build process. All source code is subjected to rigorous static application security testing that is triggered on every pull request. The security quality gate requires a 100% pass rate. Our software vulnerability management, dependency scanning, and quality processes adhere to the requirements to be accepted by Iron Bank. Iron Bank is the DoD repository of digitally signed, binary container images, including both Free and Open-Source Software (FOSS) and Commercial off-the-shelf (COTS).
Penetration Testing
As part of our security efforts, our products undergo frequent and rigorous penetration tests conducted by external companies. In our Security Profile at Whistic, you can find our penetration test reports for SonarQube for IDE, SonarQube Cloud, and SonarQube Server.
Security Awareness
All Sonar employees undergo regular security awareness training and assessments. For new joiners, there is mandatory comprehensive security training delivered in person by our internal security team. As an organization, we continuously test our employees' awareness through phishing campaigns and scheduled affirmations of policy awareness, for example, our internal Acceptable Use Policy.
SonarSource Subprocessor List
Click here to view our current data subprocessor list.
SonarQube Cloud
Hosting & resilience
SonarQube Cloud is a SaaS solution deployed as a multi-tenant, shared-resource architecture that is hosted in Amazon Web Services' (AWS) world-class data centers. AWS has numerous certifications, including ISO/IEC 27001 and SOC2. For additional details, visit the AWS Compliance Program resource page.
SonarQube Cloud is hosted primarily in the Frankfurt Region and occasionally, we use services located in the AWS Ireland Region when they are not available in Frankfurt.
Within each Region, SonarQube Cloud services are spread across three Availability Zones. An Availability Zone consists of one or more discrete data centers having redundant power and networking. Availability Zones are physically distant from each other, in line with industry standards.
To ensure data availability, the SonarQube Cloud databases are replicated in quasi-real-time to the two other availability zones within the Frankfurt Region. In the past, this setup has let SonarQube Cloud handle a full Availability Zone outage in a transparent manner. In addition, the databases are fully backed up every day and moved off-site. To meet peak demand, our architecture is designed to provide rapid resource scalability.
You can view our current and historical service levels.
Authentication
Primary authentication on the system is available through the SonarQube Cloud GitHub application and OAuth authentication with Bitbucket Cloud, Microsoft Azure DevOps, and GitLab. As a consequence, users don't have a password specific to SonarQube Cloud itself but are protected to the level provided by the code repository platform (especially with 2FA activated on those systems).
For Web Server API calls or source code analysis triggered from Continuous Integration services, only revocable user tokens are accepted.
Business Continuity
In addition to our proven infrastructure resilience, we are also organized by design to ensure our business continues to operate well in the event of a major disruption. Our teams are located across two continents, and four countries - Switzerland, France, Germany, and the USA, and our technology infrastructure allows for flexible remote working. We perform regular Business Continuity table-top exercises for a variety of scenarios and, during the pandemic, this was subjected to the ultimate test with great success.
Application and database upgrades are all performed using the blue/green deployment method making the SonarQube Cloud change process transparent to our customers. In the event that a deployment requires a planned outage, we notify our customers through the community forum and the SonarQube Cloud status page. You can subscribe here to receive communications.
Communications
All communications across the public network are secure and require using version 1.2 of the TLS protocol (older versions 1.0 and 1.1 are denied):
- Navigating in the web application
- Using web server APIs
- Running analysis (by the scanners) from CI services and pushing analysis reports to SonarQube Cloud
The option to add static IP addresses for outgoing calls to supported DevOps platforms to allowlists is available. This link explains how.
Data security
To perform code analysis, report issues, decorate your source code, and provide metrics in the SonarQube Cloud dashboard, your scan report containing your source code needs to be pushed to the SonarQube Cloud server. We do not store all the source code from your repository, only the source code from your most recent scans.
At the infrastructure level, access to data is controlled by limiting the host to network zones that only SonarQube Cloud Operations can access. The production environment is strictly separate from our development and testing environments.
SonarQube Cloud databases, snapshots, and backups are encrypted at rest to AES-256 standards, in all environments, with Sonar-managed keys. Logs are stored in protected S3 buckets and encrypted with AWS-managed keys. The production environment is strictly separate from all non-production environments, such as our development and testing environments. Sensitive data is sanitized in a dedicated sanitization environment prior to use in any non-production environment.
At the software level, SonarQube Cloud ensures private source code is accessible only to the members code repository platform organization, in addition to a few SonarQube Cloud Operations team members, and for support purposes only. Furthermore, customers can delete their projects, and therefore, source code and issue reports from our system at any time. This is entirely under the customer's control. Data may be held within the secure snapshot retention cycle for up to one year for legitimate purposes.
Payment
When customers subscribe to the paid plan on SonarQube Cloud, their credit card information never transits through our system, nor does it get stored on our server. It is handed off to Braintree Payment Solutions, a company dedicated to storing customers sensitive data on PCI-Compliant servers.
System Security
SonarQube Cloud uses its own Virtual Private Cloud (AWS VPC) and runs its workloads inside private networks behind firewalls.
Permissions to infrastructure resources are modeled through IAM policies. Secure tokens and devices are required for authentication. Secure protocols are required for access. Access to the infrastructure, including storage and databases, is restricted to our SonarQube Cloud Operations team.
The system is subject to continuous logging, monitoring, and alerting through our SIEM to keep the support teams informed of operational, capacity, performance, and security issues.
SonarQube Cloud Webhooks
Customers can use secrets to secure webhooks and ensure they are coming from SonarQube Cloud (see the "Securing your webhooks" section of the Webhooks page for more information).
If you find a vulnerability, please follow our Responsible Vulnerability Disclosure process to report it to our security team.