Delivering Secure Code isn’t enough;
You also need to deliver code securely
Delivering perfect code doesn’t mean much if it comes from a compromised pipeline. Securing your DevOps infrastructure is nearly as important as the code itself.
Securing your instance
We don’t care only about the security of your code, we also care about the security of your SonarQube environment. From SonarQube 8.9 LTS, operating SonarQube is more secure than ever, with simple but effective new safeguards such as:
to change the default SonarQube admin credentials – to make adherence to best practices routine.
as the default – to help you keep
private code private.
Limited plugin access
to core functionality and restricted library loading – to prevent 3rd-party plugins from tampering with your installation.
in the plugin Marketplace (as a gentle reminder that you use community plugins at your own risk) - to stay mindful about the risks you accept.
We’ve implemented these controls because SonarQube has access to all
your source code and we take the responsibility to protect it seriously.
In Cure53’s expert opinion, this project confirmed a very solid security premise at SonarSource… [SonarQube] is currently well protected against a broad number of web application attack vectors.
One can argue that the outcome highlights the development team’s commitment to maintaining security features with due diligence and adherence to best practices. Despite extensive deep-dives and exemplary coverage toward a plethora of application features by the Cure53 testers, no serious issues were detected.
In addition to hardening SonarQube itself, we’ve also hardened our own build pipeline so you can be sure we’re delivering SonarQube to you securely.