Permissions

Permissions can be granted to groups or individual users. By default, all projects are public, meaning all active Geant project participants logged in can browse and see the source code.

Project Policies

Project creation

• Projects are created by development teams or people responsible for quality management on request.
• The CI triggers project creation: when the CI starts for the first time, it creates a matching project in SonarQube. The default name of the project in SonarQube is the repository's name in Gitlab (it would be the same as Github).
• The user creates his personal token in SonarQube and configures it in the CI to authorize the job to connect to SonarQube. The token will be stored as a masked variable in Gitlab (the user needs to decide whether to store the token at the project or group level).

The CI makes use of the following Docker image: https://hub.docker.com/r/sonarsource/sonar-scanner-cli (there are other images available that can be tested), which is documented here: https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/

Integrations of other kinds are documented here: https://docs.sonarqube.org/latest/analyzing-source-code/ci-integration/overview/

Project deletion

Projects not analyzed in the last 18 months will be automatically deleted without prior notice unless the development or QA team needs to keep a specific project.

Token Management Policy

The Geant SonarQube instance runs on the Developer Edition, which does not allow the enforcement of token policies such as expiration dates or token types. To ensure security and proper management of tokens:

• Tokens not used for over 12 months will be automatically revoked without prior notice.
• Users are responsible for managing their personal tokens. They should check them regularly and remove the ones that are no longer in use.
• When a project is discontinued or no longer needs SonarQube, the associated token should be removed immediately to prevent unauthorized access.