ADR-024: Deprecate MoJ Sonarcloud
Status
✅ Accepted
Context
MoJ has a free (legacy) Sonarcloud account which is used by a small number of teams across MoJ for code scanning on public repositories.
Problem - Logevity of legacy subscription
The subscription has been converted to a “Free (Legacy)” subscription. This type of account is no longer available to new users and may be removed by the vendor at any point in the future in favour of the new type of free account that would not scale for our organisation.
Problem - Lack of audit
The free subscription has limited features and no audit logs so it is not possible to see who has access or made changes to any data within the organisation.
Problem - Lack of use
Over time the uptake of the service has reduced, offering reduced value to the organisation. We are aware that a number of applications are linked to the subscription but not actively being used.
Problem - Lack of domain ownership
Operations Engineering inherited this tool which had been abandoned. Onboarding required GitHub Organisation Owner permissions, and as we were trying to reduce the number of org owners it was determined that Operations Engineering could manage this centrally. Having said that we have no domain expertise in code scanning solution that are most appropriate for the organisation, and took on ownership while value of the tool was explored.
Decision
As Sonarcloud is not one of the strategic tools for code scanning, and due to the risks associated with maintaining a deprecated service, we have decided that we will no longer onboard services to the tool and will recommend that existing users move to one of the strategic alternatives.