5 years ago · 6bee2d5ea8
--- a/server/sonar-docs/src/pages/security.md
+++ b/server/sonar-docs/src/pages/security.md
@@ -0,0 +1,49 @@
 ---
 title: SonarCloud Security
 scope: sonarcloud
 ---

 We know that your code is very important to you and your business. We also know that no one wants proven bugs or vulnerabilities found on their source code to be unveiled to third-parties. This is why we take security extremely seriously.

 ## Hosting

 SonarCloud is hosted on Amazon AWS in Frankfurt. 

 ## System security

 We keep system up to date, OS packages are updated at least weekly. SonarCloud is on its own AWS VPC. We have firewall at VPC and VM level.

 Except the Operations team, no SonarSource employee has access to the system, especially the database which stores source code and analysis results.

 The Operations team has access to the system through secured channels (SSH) only. 

 ## Data security

 All the data is stored on a Postgres RDS instance which only the Operation has access to.

 Isolation of data per organization is ensured at software level, which secures access to source code to organization members only.

 The source code is not encrypted in the database, but the access to the database is restricted to SonarSource operations team and can be done only through a SSH tunnel.

 The DB is backed up everyday by Amazon RDS mechanism, with 7 days retention.

 ## Software security

 The Web Application and Web APIs regularly pass penetration testing conducted by a an external company, specialized in cyber and application security, certified in accordance to ISO-27001 and which is also member of the OWASP.

 ## Communications

 All communications are done over TLS 1.2:
 * Navigating in the Web application
 * Using WS APIs
 * Running analysis (by the scanners) from CI services and pushing analysis reports to SonarCloud

 ## Authentication

 Primary authentication on the system is available only through OAuth authentication with GitHub, Bitbucket Cloud and Microsoft VSTS. As a consequence, users don’t have a password on SonarCloud, and are as protected as what they expect (especially with 2FA activated on those systems). 
 
 For WS API calls or source code analysis triggered from CI services, only revocable user tokens are accepted.

 ## Payment

 When you subscribe to the paid plan on SonarCloud, your credit card information never transit through our system nor it gets stored on the server. It's handed off to [Braintree Payment Solutions](https://www.braintreepayments.com), a company dedicated to storing your sensitive data on [PCI-Compliant](http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard) servers.
--- a/server/sonar-web/src/main/js/app/components/GlobalFooterSonarCloud.tsx
+++ b/server/sonar-web/src/main/js/app/components/GlobalFooterSonarCloud.tsx
@@ -59,6 +59,9 @@ export default function GlobalFooterSonarCloud() {
        <li className="page-footer-menu-item">
          <Link to="/documentation/privacy">{translate('footer.privacy')}</Link>
        </li>
        <li className="page-footer-menu-item">
          <Link to="/documentation/security">{translate('footer.security')}</Link>
        </li>
        <li className="page-footer-menu-item">
          <a
            href="https://community.sonarsource.com/c/help/sc"
--- a/server/sonar-web/src/main/js/app/components/__tests__/__snapshots__/GlobalFooterSonarCloud-test.tsx.snap
+++ b/server/sonar-web/src/main/js/app/components/__tests__/__snapshots__/GlobalFooterSonarCloud-test.tsx.snap
@@ -66,6 +66,17 @@ exports[`should render correctly 1`] = `
        footer.privacy
      </Link>
    </li>
    <li
      className="page-footer-menu-item"
    >
      <Link
        onlyActiveOnIndex={false}
        style={Object {}}
        to="/documentation/security"
      >
        footer.security
      </Link>
    </li>
    <li
      className="page-footer-menu-item"
    >
--- a/server/sonar-web/src/main/js/apps/about/sonarcloud/Footer.tsx
+++ b/server/sonar-web/src/main/js/apps/about/sonarcloud/Footer.tsx
@@ -103,6 +103,11 @@ export default function Footer() {
                  Privacy
                </Link>
              </li>
              <li className="spacer-top">
                <Link className="sc-footer-link" to="/documentation/security">
                  Security
                </Link>
              </li>
            </ul>
          </div>
        </nav>
--- a/sonar-core/src/main/resources/org/sonar/l10n/core.properties
+++ b/sonar-core/src/main/resources/org/sonar/l10n/core.properties
@@ -2577,6 +2577,7 @@ footer.plugins=Plugins
 footer.privacy=Privacy
 footer.production_database_explanation=The embedded database will not scale, it will not support upgrading to newer versions of {instance}, and there is no support for migrating your data out of it into a different database engine.
 footer.production_database_warning=Embedded database should be used for evaluation purpose only
 footer.security=Security
 footer.support=Get Support
 footer.status=Status
 footer.terms=Terms