Sonar has implemented a continuously advancing and improving security practice. We hold an ISO 27001:2013 certification at the company level. You can download the certificate and associated statement of applicability from our public Security Profile hosted at Whistic.
Our software development lifecycle incorporates OWASP's industry-recommended practices for producing secure code and extended testing to ensure a safe product. Software change at Sonar is delivered through a rigorous Continuous Integration/Continuous Deployment pipeline with mandatory gates at each stage, segregated code peer reviews and high visibility of the changes being delivered.
SonarLint, SonarCloud and SonarQube all undergo software composition analysis and vulnerability scanning as part of the core build process. All source code is subjected to rigorous static application security testing that is triggered on every pull request. The security quality gate requires a 100% pass rate. Our software vulnerability management, dependency scanning, and quality processes adhere to the requirements to be accepted by Iron Bank. Iron Bank is the DoD repository of digitally signed, binary container images, including both Free and Open-Source Software (FOSS) and Commercial off-the-shelf (COTS).
As part of our security efforts, our products undergo frequent and rigourous penetration tests conducted by external companies. In our Security Profile at Whistic, you can find our penetration test reports for SonarLint, SonarCloud, and SonarQube.
All Sonar employees undergo regular security awareness training and assessments. For new joiners, there is mandatory comprehensive security training delivered in person by our internal security team. As an organization, we continuously test our employees' awareness through phishing campaigns and scheduled affirmations of policy awareness, for example, our internal Acceptable Use Policy.
SonarSource relies on Amazon Web Services for infrastructure hosting and our payments are managed by PayPal (Braintree). We do not use third parties for development and support. Our developers and operations team are all part of Sonar.
Hosting & resilience
SonarCloud is a SaaS solution deployed as a multi-tenant, shared-resource architecture and hosted by Amazon Web Services, in world-class data centers with numerous certifications, including ISO/IEC 27001 and SOC2. Learn more on the Compliance center at Amazon Web Services.
SonarCloud is hosted primarily in the Frankfurt Region and occasionally, we use services located in the AWS Ireland Region when they are not available in Frankfurt.
Within each Region, SonarCloud services are spread across three Availability Zones. An Availability Zone consists of one or more discrete data centers having redundant power and networking. Availability Zones are physically distant from each other, in line with industry standards.
To ensure data availability, the SonarCloud databases are replicated in quasi-real-time to the two other availability zones within the Frankfurt Region. In the past, this setup has let SonarCloud handle a full Availability Zone outage in a transparent manner. In addition, the databases are fully backed up every day and moved off-site. To meet peak demand, our architecture is designed to provide rapid resource scalability.
You can view our current and historical service levels.
Primary authentication on the system is available through the SonarCloud GitHub application and OAuth authentication with Bitbucket Cloud, Microsoft Azure DevOps, and GitLab. As a consequence, users don't have a password specific to SonarCloud itself but are protected to the level provided by the code repository platform (especially with 2FA activated on those systems).
For Web Server API calls or source code analysis triggered from Continuous Integration services, only revocable user tokens are accepted.
In addition to our proven infrastructure resilience, we are also organized by design to ensure our business continues to operate well in the event of a major disruption. Our teams are located across two continents, and four countries - Switzerland, France, Germany, and the USA, and our technology infrastructure allows for flexible remote working. We perform regular Business Continuity table-top exercises for a variety of scenarios and, during the pandemic, this was subjected to the ultimate test with great success.
Application and database upgrades are all performed using the blue/green deployment method making the SonarCloud change process transparent to our customers. In the event that a deployment requires a planned outage, we notify our customers through the community forum and the SonarCloud status page. You can subscribe here to receive communications.
All communications across the public network are secure and require using version 1.2 of the TLS protocol (older versions 1.0 and 1.1 are denied):
- Navigating in the web application
- Using web server APIs
- Running analysis (by the scanners) from CI services and pushing analysis reports to SonarCloud
To perform code analysis, report issues, decorate your source code, and provide metrics in the SonarCloud dashboard, your scan report containing your source code needs to be pushed to the SonarCloud server. We do not store all the source code from your repository, only the source code from your most recent scans.
At the infrastructure level, access to data is controlled by limiting the host to network zones that only SonarCloud Operations can access. The production environment is strictly separate from our development and testing environments.
SonarCloud databases, snapshots, and backups are encrypted at rest to AES-256 standards, in all environments, with Sonar-managed keys. Logs are stored in protected S3 buckets and encrypted with AWS-managed keys. The production environment is strictly separate from all non-production environments, such as our development and testing environments. Sensitive data is sanitized in a dedicated sanitization environment prior to use in any non-production environment.
At the software level, SonarCloud ensures private source code is accessible only to the members code repository platform organization, in addition to a few SonarCloud Operations team members, and for support purposes only. Furthermore, customers can delete their projects, and therefore, source code and issue reports from our system at any time. This is entirely under the customer's control. Data may be held within the secure snapshot retention cycle for up to one year for legitimate purposes.
When customers subscribe to the paid plan on SonarCloud, their credit card information never transits through our system, nor does it get stored on our server. It is handed off to Braintree Payment Solutions, a company dedicated to storing customers sensitive data on PCI-Compliant servers.
SonarCloud uses its own Virtual Private Cloud (AWS VPC) and runs its workloads inside private networks behind firewalls.
Permissions to infrastructure resources are modeled through IAM policies. Secure tokens and devices are required for authentication. Secure protocols are required for access. Access to the infrastructure, including storage and databases, is restricted to our SonarCloud Operations team.
The system is subject to continuous logging, monitoring, and alerting through our SIEM to keep the support teams informed of operational, capacity, performance, and security issues.
Customers can use secrets to secure webhooks and ensure they are coming from SonarCloud (see the "Securing your webhooks" section of the Webhooks page for more information).
If you find a vulnerability, please follow our Responsible Vulnerability Disclosure process to report it to our security team.