UPDATE ......From Tuesday 8 April 2025 we have changed the way that Single Sign-on works on this wiki. Please see here for more information:
Update
Permissions
Permissions can be granted to groups or individual users. By default policy all projects are public. Anyone active Geant project participants logged user can browse and see the source code.
Project Policies
Project creation
Projects are created by development teams or people responsible for quality management on request.
Project creation is triggered by the CI: when the CI starts for the first time, it creates a matching project in SonarQube. The default name of the project in SonarQube is the name of the repository in Gitlab (it would be the same with Github).
The user creates his personal token in SonarQube and cofigures it in the CI, to authorize the job to connect to SonarQube. The token will be stored as a masked variable in Gitlab (the user needs to decide whether to store the token at project level, or the group level).
The CI makes use of the following Docker image: https://hub.docker.com/r/sonarsource/sonar-scanner-cli (there are other images available that can be tested) which is documented here: https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/
Integrations of other kind are documented here: https://docs.sonarqube.org/latest/analyzing-source-code/ci-integration/overview/
Project deletion
Projects that have not been analyzed in the last 18 months will be automatically deleted without prior notice, unless the development or QA team needs to keep a specific project.
Token Management Policy
The Geant SonarQube instance runs on the Developer Edition, which does not allow the enforcement of token policies such as expiration dates or token types. To ensure security and proper management of tokens:
- Tokens that have not been used for more than 12 months will be automatically revoked without prior notice.
- Users are responsible for managing their personal tokens, i.e. they should check them regularly and remove the ones that are no longer in use.
- When a project is discontinued or it does not need SonarQube anymore, the associated token should be removed immediately to prevent unauthorized access.