Introduction

This document outlines the policies and guidelines established by the Test and Analysis team for users of the Geant SonarQube instance. It defines the rules for project management, access control, and security to ensure a structured and secure environment. By using this service, users agree to follow these policies, which help maintain a reliable and well-governed code analysis platform.

Permissions

Permissions can be granted to groups or individual users. By default, all projects are public, meaning all active Geant project participants logged in can browse and see the source code.

Project Policies

Project creation

• Projects are created by development teams or people responsible for quality management on request.
• The CI triggers project creation: when the CI starts for the first time, it creates a matching project in SonarQube. The default name of the project in SonarQube is the repository's name in Gitlab (it would be the same as Github).
• The user creates his personal token in SonarQube and configures it in the CI to authorize the job to connect to SonarQube. The token will be stored as a masked variable in Gitlab (the user needs to decide whether to store the token at the project or group level).

The CI makes use of the following Docker image: https://hub.docker.com/r/sonarsource/sonar-scanner-cli (there are other images available that can be tested), which is documented here: https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/

Integrations of other kinds are documented here: https://docs.sonarqube.org/latest/analyzing-source-code/ci-integration/overview/

Project deletion

Projects not analyzed in the last 12 months will be automatically deleted without prior notice unless the development or QA team needs to keep a specific project.

Token Management Policy

The Geant SonarQube instance runs on the Developer Edition, which does not allow the enforcement of token policies such as expiration dates or token types. To ensure security and proper management of tokens:

• Tokens not used for over 12 months will be automatically revoked without prior notice.
• Users are responsible for managing their personal tokens. They should check them regularly and remove the ones that are no longer in use.
• When a project is discontinued or no longer needs SonarQube, the associated token should be removed immediately to prevent unauthorized access.

User Deletion Policy

The Geant SonarQube instance implements a user retention policy to ensure security and efficient account management. To prevent the accumulation of inactive accounts:

• Users who have not logged in for over 12 months can be deleted without prior notice.

• It is the responsibility of users to maintain active access if they wish to retain their accounts.

• When a user account is deleted, all associated personal tokens and project permissions will be permanently removed.

• If a deleted user needs access again, they can re-register via sign-in with their federated account by SSO, and they need to request permission from an administrator.

• Project owners should ensure critical project permissions are not solely assigned to inactive users to prevent disruptions.