mirror of
https://github.com/SonarSource/sonarqube-scan-action.git
synced 2026-05-13 22:25:54 +00:00
SQSCANGHA-145 Set skipSignatureVerification default value to false (#241)
Some checks failed
QA Install Build Wrapper action / Action outputs-4 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-5 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-6 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-7 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-8 (push) Has been cancelled
QA Main action / No inputs
-1 (push) Has been cancelled
QA Main action / 'SONAR_ROOT_CERT' is converted to truststore
-2 (push) Has been cancelled
QA Main action / Analysis takes into account 'SONAR_ROOT_CERT'
(push) Has been cancelled
QA Main action / truststore.p12 is updated when present
(push) Has been cancelled
QA Deprecated C and C++ action / Action outputs (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-1 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-2 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-3 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-4 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-5 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-6 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-7 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-8 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-1 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-2 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-3 (push) Has been cancelled
QA Main action / No inputs
(push) Has been cancelled
QA Main action / 'args' input
(push) Has been cancelled
QA Main action / 'args' input
-1 (push) Has been cancelled
QA Main action / 'args' input
-2 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
(push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-1 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-2 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-3 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-4 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-5 (push) Has been cancelled
QA Main action / 'args' input with backticks injection does not execute command
(push) Has been cancelled
QA Main action / 'args' input with backticks injection does not execute command
-1 (push) Has been cancelled
QA Main action / 'args' input with backticks injection does not execute command
-2 (push) Has been cancelled
QA Main action / 'args' input with dollar command injection does not execute command
(push) Has been cancelled
QA Main action / 'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
(push) Has been cancelled
QA Main action / Don't fail on Gradle project
(push) Has been cancelled
QA Main action / Don't fail on Kotlin Gradle project
(push) Has been cancelled
QA Main action / Don't fail on Maven project
(push) Has been cancelled
QA Scripts / fetch_latest_version.sh (push) Has been cancelled
QA Main action / 'args' input with dollar command injection does not execute command
-1 (push) Has been cancelled
QA Main action / 'args' input with dollar command injection does not execute command
-2 (push) Has been cancelled
QA Main action / 'args' input with other command injection variants does not execute command
(push) Has been cancelled
QA Main action / 'args' input with other command injection variants does not execute command
-1 (push) Has been cancelled
QA Main action / 'projectBaseDir' input
(push) Has been cancelled
QA Main action / 'projectBaseDir' input
-1 (push) Has been cancelled
QA Main action / 'scannerVersion' input
(push) Has been cancelled
QA Main action / runAnalysisTest (push) Has been cancelled
QA Main action / 'args' input with other command injection variants does not execute command
-2 (push) Has been cancelled
QA Main action / 'projectBaseDir' input
-2 (push) Has been cancelled
QA Main action / runAnalysisWithCacheTest (push) Has been cancelled
QA Main action / 'SONARCLOUD_URL' is used
(push) Has been cancelled
QA Main action / 'SONARCLOUD_URL' is used
-1 (push) Has been cancelled
QA Main action / 'SONARCLOUD_URL' is used
-2 (push) Has been cancelled
QA Main action / curl performs redirect when scannerBinariesUrl returns 3xx
(push) Has been cancelled
QA Main action / 'SONAR_ROOT_CERT' is converted to truststore
(push) Has been cancelled
QA Main action / 'scannerBinariesUrl' input with invalid URL
(push) Has been cancelled
QA Main action / 'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
(push) Has been cancelled
QA Main action / 'RUNNER_DEBUG' is used
(push) Has been cancelled
QA Main action / 'RUNNER_DEBUG' is used
-1 (push) Has been cancelled
QA Main action / 'RUNNER_DEBUG' is used
-2 (push) Has been cancelled
QA Scripts / create_install_path.sh (push) Has been cancelled
QA Main action / 'SONAR_ROOT_CERT' is converted to truststore
-1 (push) Has been cancelled
QA Main action / 'scannerVersion' input validation
(push) Has been cancelled
QA Scripts / configure_paths.sh (push) Has been cancelled
QA Scripts / download.sh (push) Has been cancelled
Unit tests / test (push) Has been cancelled
Some checks failed
QA Install Build Wrapper action / Action outputs-4 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-5 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-6 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-7 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-8 (push) Has been cancelled
QA Main action / No inputs
-1 (push) Has been cancelled
QA Main action / 'SONAR_ROOT_CERT' is converted to truststore
-2 (push) Has been cancelled
QA Main action / Analysis takes into account 'SONAR_ROOT_CERT'
(push) Has been cancelled
QA Main action / truststore.p12 is updated when present
(push) Has been cancelled
QA Deprecated C and C++ action / Action outputs (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-1 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-2 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-3 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-4 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-5 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-6 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-7 (push) Has been cancelled
QA Deprecated C and C++ action / Action outputs-8 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-1 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-2 (push) Has been cancelled
QA Install Build Wrapper action / Action outputs-3 (push) Has been cancelled
QA Main action / No inputs
(push) Has been cancelled
QA Main action / 'args' input
(push) Has been cancelled
QA Main action / 'args' input
-1 (push) Has been cancelled
QA Main action / 'args' input
-2 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
(push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-1 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-2 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-3 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-4 (push) Has been cancelled
QA Main action / 'args' input with command injection will fail
-5 (push) Has been cancelled
QA Main action / 'args' input with backticks injection does not execute command
(push) Has been cancelled
QA Main action / 'args' input with backticks injection does not execute command
-1 (push) Has been cancelled
QA Main action / 'args' input with backticks injection does not execute command
-2 (push) Has been cancelled
QA Main action / 'args' input with dollar command injection does not execute command
(push) Has been cancelled
QA Main action / 'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
(push) Has been cancelled
QA Main action / Don't fail on Gradle project
(push) Has been cancelled
QA Main action / Don't fail on Kotlin Gradle project
(push) Has been cancelled
QA Main action / Don't fail on Maven project
(push) Has been cancelled
QA Scripts / fetch_latest_version.sh (push) Has been cancelled
QA Main action / 'args' input with dollar command injection does not execute command
-1 (push) Has been cancelled
QA Main action / 'args' input with dollar command injection does not execute command
-2 (push) Has been cancelled
QA Main action / 'args' input with other command injection variants does not execute command
(push) Has been cancelled
QA Main action / 'args' input with other command injection variants does not execute command
-1 (push) Has been cancelled
QA Main action / 'projectBaseDir' input
(push) Has been cancelled
QA Main action / 'projectBaseDir' input
-1 (push) Has been cancelled
QA Main action / 'scannerVersion' input
(push) Has been cancelled
QA Main action / runAnalysisTest (push) Has been cancelled
QA Main action / 'args' input with other command injection variants does not execute command
-2 (push) Has been cancelled
QA Main action / 'projectBaseDir' input
-2 (push) Has been cancelled
QA Main action / runAnalysisWithCacheTest (push) Has been cancelled
QA Main action / 'SONARCLOUD_URL' is used
(push) Has been cancelled
QA Main action / 'SONARCLOUD_URL' is used
-1 (push) Has been cancelled
QA Main action / 'SONARCLOUD_URL' is used
-2 (push) Has been cancelled
QA Main action / curl performs redirect when scannerBinariesUrl returns 3xx
(push) Has been cancelled
QA Main action / 'SONAR_ROOT_CERT' is converted to truststore
(push) Has been cancelled
QA Main action / 'scannerBinariesUrl' input with invalid URL
(push) Has been cancelled
QA Main action / 'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
(push) Has been cancelled
QA Main action / 'RUNNER_DEBUG' is used
(push) Has been cancelled
QA Main action / 'RUNNER_DEBUG' is used
-1 (push) Has been cancelled
QA Main action / 'RUNNER_DEBUG' is used
-2 (push) Has been cancelled
QA Scripts / create_install_path.sh (push) Has been cancelled
QA Main action / 'SONAR_ROOT_CERT' is converted to truststore
-1 (push) Has been cancelled
QA Main action / 'scannerVersion' input validation
(push) Has been cancelled
QA Scripts / configure_paths.sh (push) Has been cancelled
QA Scripts / download.sh (push) Has been cancelled
Unit tests / test (push) Has been cancelled
This commit is contained in:
Antoine Vinot
GitHub
parent
ca30b65f4e
commit
59db25f34e
2 changed files with 19 additions and 2 deletions
17
README.md
17
README.md
|
|
@ -200,6 +200,23 @@ This can be useful when the runner executing the action is self-hosted and has r
|
|||
scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
|
||||
```
|
||||
|
||||
#### `skipSignatureVerification`
|
||||
|
||||
By default, the action verifies the OpenPGP signature of the SonarScanner CLI binary before executing it. You can disable this verification using the `skipSignatureVerification` option:
|
||||
|
||||
```yaml
|
||||
- uses: SonarSource/sonarqube-scan-action@<action version>
|
||||
with:
|
||||
skipSignatureVerification: true
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> Signature verification requires `gpg` and `dirmngr` to be installed on the runner. GitHub-hosted runners include both, but some self-hosted runners or containers may not.
|
||||
>
|
||||
> **Version history:**
|
||||
> - Introduced in **v7.2** with a default value of `true` to avoid breaking existing workflows on runners without `dirmngr`.
|
||||
> - Changed to `false` by default in **v8** (breaking change). If your runner does not have `gpg` or `dirmngr` installed, set this option to `true` explicitly.
|
||||
|
||||
More information about possible analysis parameters can be found:
|
||||
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation
|
||||
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ inputs:
|
|||
required: false
|
||||
default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
|
||||
skipSignatureVerification:
|
||||
description: Skip GPG signature verification (defaults to true temporarily while dirmngr dependency is resolved; set to false to enable verification)
|
||||
description: Skip GPG signature verification (not recommended for security)
|
||||
required: false
|
||||
default: "true"
|
||||
default: "false"
|
||||
runs:
|
||||
using: node24
|
||||
main: dist/index.js
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue