In the scanner, Settings for Global/Project/Module containers are created from the analysis properties and are mutable. These Settings are used everywhere to define the behavior of the scanner-engine based on properties passed by the client (maven, cli, ..).
Plugins have easy access to it through SensorContext#Settings, so it's easy for plugins or some part of the engine to manipulate them and change the behavior. The settings also get written in the report and sent to the CE.
For all these reasons, all settings should be immutable. We should deprecate accessing the current Settings object through SensorContext or directly through ioc and introduce a new object.
On server side, Settings are mutable, but it should not be exposed to plugins.
Proposal: introduce a new API named "Configuration" and deprecate existing Settings class. Configuration will only expose getters.