Sonar Security in a Multiple Project Analysis

Question

I have a single Sonar instance analyzing codebases of different projects owned by different customers. I need to ensure non of the project teams can manipulate the sonar/machine security to access codebases of other projects (For example through a malicious unit test, or through a script to create a backdoor).

I can use Windows security to create restricted user accounts that just have access to project specific folders. Then I can use that Windows account to schedule a task to perform code download from SCM and trigger Sonar Runner in triggering the analysis.

Now my question is this. When I run Sonar Runner under a particular Windows user account, will the real sonar analysis/unit test execution run within a sandbox of that particular user account?

If not, is there a mean of sandboxing different projects to achieve my goal?

Answer 1

I don't know how Windows security works, but generally speaking, creating a user (or several users if you want to) with restricted permissions should indeed protect your Sonar server from most issues.