SonarCloud vulnerability scanning

We use SonarCloud as a static analysis tool to analyse the code in the sourcegraph/sourcegraph repository for security vulnerabilities.

For Security engineers

Changing the SonarCloud configuration

You can login to the SonarCloud website using your GitHub credentials, and should then be able to view the SonarCloud configuration.

SonarCloud is configured with a quality gate. This means that only code that SonarCloud determines has a ‘Security Grade’ of A is considered passing.

sourcegraph/sourcegraph has a branch merge protection defined: any code which fails the quality gate will not be allowed into the main branch. A GitHub admin will be required to change this.

Changing the GitHub/SonarCloud integration

You will need to either be or have access to a GitHub Admin to change this.

The SonarCloud GitHub app runs a check against all branches/pull requests, as well as against the main branch. It currently only scans the Sourcegraph product via the main sourcegraph/sourcegraph repository.

There isn’t much other configuration to set up or change for the GitHub app.

For Sourcegraph engineers

Any SonarCloud issues should be visible to you via the output of the SonarCloud Code Analysis GitHub check. If you’re not clear on how to resolve an issue raised by SonarCloud, please reach out to the Security team in #security.

If the offending commit has to be landed as part of resolving an incident, find an admin for the repository (for whom branch protection rules will not apply) to merge the code in for you.