sonarqube-scan-action

mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2026-05-23 10:25:56 +00:00

Author	SHA1	Message	Date
Claire Villard	e1c6b579ce	SQSCANGHA-140 Add GPG signature verification for scanner downloads Implemented OpenPGP signature verification to ensure the integrity and authenticity of downloaded SonarQube scanner packages. This security enhancement protects against supply chain attacks. Key implementation decisions: - GPG verification runs by default for all scanner downloads, with an optional skipSignatureVerification flag for environments where GPG is unavailable - Dual keyserver strategy: attempts primary keyserver (keyserver.ubuntu.com) with automatic fallback to keys.openpgp.org if the primary fails, improving reliability across different network environments - Platform-specific path handling: converts Windows paths to Unix-style format for GPG compatibility, as GPG from Git for Windows expects Unix-style paths even on Windows systems - Isolated verification: uses temporary GPG home directories to avoid polluting user keyring, with guaranteed cleanup in finally blocks to prevent temp file leakage even on verification failures - Security-first error handling: throws clear errors when GPG is absent or signatures fail, preventing silent security bypasses Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"	2026-04-28 15:44:49 +02:00
Claire Villard	299e4b793a	SQSCANGHA-132 Upgrade Node to 24 (#224 ) Some checks failed QA Main action / truststore.p12 is updated when present (push) Has been cancelled Details QA Main action / 'args' input with other command injection variants does not execute command (push) Has been cancelled Details QA Main action / 'args' input with other command injection variants does not execute command -1 (push) Has been cancelled Details QA Main action / 'args' input with other command injection variants does not execute command -2 (push) Has been cancelled Details QA Main action / 'projectBaseDir' input (push) Has been cancelled Details QA Main action / 'projectBaseDir' input -1 (push) Has been cancelled Details QA Main action / 'projectBaseDir' input -2 (push) Has been cancelled Details QA Main action / 'scannerVersion' input (push) Has been cancelled Details QA Main action / 'scannerBinariesUrl' input with invalid URL (push) Has been cancelled Details QA Main action / 'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command (push) Has been cancelled Details QA Main action / 'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command (push) Has been cancelled Details QA Main action / Don't fail on Gradle project (push) Has been cancelled Details QA Main action / Don't fail on Kotlin Gradle project (push) Has been cancelled Details QA Main action / Don't fail on Maven project (push) Has been cancelled Details QA Main action / runAnalysisTest (push) Has been cancelled Details QA Main action / 'RUNNER_DEBUG' is used (push) Has been cancelled Details QA Main action / 'RUNNER_DEBUG' is used -1 (push) Has been cancelled Details QA Main action / 'RUNNER_DEBUG' is used -2 (push) Has been cancelled Details QA Main action / runAnalysisWithCacheTest (push) Has been cancelled Details QA Main action / 'SONARCLOUD_URL' is used (push) Has been cancelled Details QA Main action / 'SONARCLOUD_URL' is used -1 (push) Has been cancelled Details QA Main action / 'SONARCLOUD_URL' is used -2 (push) Has been cancelled Details QA Main action / curl performs redirect when scannerBinariesUrl returns 3xx (push) Has been cancelled Details QA Main action / 'SONAR_ROOT_CERT' is converted to truststore (push) Has been cancelled Details QA Main action / 'SONAR_ROOT_CERT' is converted to truststore -1 (push) Has been cancelled Details QA Main action / 'scannerVersion' input validation (push) Has been cancelled Details QA Scripts / create_install_path.sh (push) Has been cancelled Details QA Scripts / configure_paths.sh (push) Has been cancelled Details QA Scripts / download.sh (push) Has been cancelled Details QA Scripts / fetch_latest_version.sh (push) Has been cancelled Details	2026-04-01 11:14:54 +02:00
github-actions[bot]	a31c9398be	SQSCANGHA-126 Update SonarScanner CLI to 8.0.1.6346 (#218 ) Some checks failed QA Deprecated C and C++ action / Action outputs (push) Has been cancelled Details Unit tests / test (push) Has been cancelled Details QA Install Build Wrapper action / Action outputs (push) Has been cancelled Details QA Main action / No inputs (push) Has been cancelled Details QA Main action / 'args' input (push) Has been cancelled Details QA Main action / 'args' input with command injection will fail (push) Has been cancelled Details QA Main action / 'args' input with backticks injection does not execute command (push) Has been cancelled Details QA Main action / 'args' input with dollar command injection does not execute command (push) Has been cancelled Details QA Main action / 'args' input with other command injection variants does not execute command (push) Has been cancelled Details QA Main action / 'projectBaseDir' input (push) Has been cancelled Details QA Main action / 'scannerVersion' input (push) Has been cancelled Details QA Main action / 'scannerBinariesUrl' input with invalid URL (push) Has been cancelled Details QA Main action / 'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command (push) Has been cancelled Details QA Main action / 'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command (push) Has been cancelled Details QA Main action / Don't fail on Gradle project (push) Has been cancelled Details QA Main action / Don't fail on Kotlin Gradle project (push) Has been cancelled Details QA Main action / Don't fail on Maven project (push) Has been cancelled Details QA Main action / runAnalysisTest (push) Has been cancelled Details QA Main action / 'RUNNER_DEBUG' is used (push) Has been cancelled Details QA Main action / runAnalysisWithCacheTest (push) Has been cancelled Details QA Main action / 'SONARCLOUD_URL' is used (push) Has been cancelled Details QA Main action / curl performs redirect when scannerBinariesUrl returns 3xx (push) Has been cancelled Details QA Main action / 'SONAR_ROOT_CERT' is converted to truststore (push) Has been cancelled Details QA Main action / Analysis takes into account 'SONAR_ROOT_CERT' (push) Has been cancelled Details QA Main action / truststore.p12 is updated when present (push) Has been cancelled Details QA Main action / 'scannerVersion' input validation (push) Has been cancelled Details QA Scripts / create_install_path.sh (push) Has been cancelled Details QA Scripts / configure_paths.sh (push) Has been cancelled Details QA Scripts / download.sh (push) Has been cancelled Details QA Scripts / fetch_latest_version.sh (push) Has been cancelled Details	2025-12-09 09:53:51 +01:00
github-actions[bot]	ba6563cca7	Update SonarScanner CLI to 7.3.0.5189 (#212 )	2025-10-06 09:29:17 +02:00
Jeremy Davis	16df975da5	SQSCANGHA-113 Migrate scanner run step	2025-09-18 10:38:53 +02:00
Jeremy Davis	ed9f3aad50	SQSCANGHA-112 Migrate installation step	2025-09-18 10:38:53 +02:00
Jeremy Davis	6a808e9a20	SQSCANGHA-115 Migrate sanity checks	2025-09-18 10:38:53 +02:00
Daan Timmer	1a6d90ebcb	SQSCANGHA-102 Pin actions/cache to a full-length commit SHA (#199 )	2025-08-28 12:18:32 +02:00
Aleksandra Bozhinoska	016cabf33a	SQSCANGHA-101 Add more command injection tests	2025-08-28 10:57:10 +02:00
github-actions[bot]	8c71dc039c	SQSCANGHA-98 Update SonarScanner CLI to 7.2.0.5079 (#196 ) Co-authored-by: SonarTech <sonartech@sonarsource.com>	2025-07-22 10:45:53 +02:00
csaba-feher-sonarsource	2500896589	SQSCANGHA-92 Validate scanner version (#189 ) Co-authored-by: Julien HENRY <julien.henry@sonarsource.com>	2025-05-05 17:48:40 +02:00
Julien HENRY	be0a85295f	SQSCANGHA-89 Fix possible command injection It is unlikely to be a real concern, since an attacker having the possibility to edit a pipeline can easily execute any command, but at least our step won't be involved	2025-04-29 12:17:00 +02:00
SonarTech	aa494459d7	SQSCANGHA-85 Update SonarScanner CLI to 7.1.0.4889 to support sonar.region=us	2025-03-24 15:16:27 +01:00
Adam Setch	550777f6eb	NO-JIRA Remove superfluous space from action description	2025-02-20 12:02:15 +01:00
SonarTech	0303d6b62e	Update SonarScanner CLI to 7.0.2.4839	2025-02-14 14:05:04 +01:00
Julien HENRY	3ed7560138	SQSCANGHA-82 Automate the update of the Scanner CLI version	2025-02-14 12:33:25 +01:00
Antonio Aversa	bfd4e558cd	SQSCANGHA-77 Change title back to SonarQube Scan Action (#166 )	2024-12-17 10:59:50 +01:00
Antonio Aversa	00e62e1190	SQCPPGHA-9 Extend action to support C, C++, and Objective-C projects (#161 )	2024-12-16 10:24:14 +01:00
Antonio Aversa	a36db763ac	SQSCANGHA-64 Shorten action description to respect 125 chars limit (#157 )	2024-12-09 10:56:27 +01:00
Antonio Aversa	7b13cfe195	SQSCANGHA-54 Rebranding	2024-11-28 10:41:20 +01:00
Antonio Aversa	05ca09c2da	SQSCANGHA-51 Make Scanner CLI binaries URL customizable	2024-11-28 08:06:29 +01:00
Antonio Aversa	6440c73982	SQSCANGHA-56 Support GitHub self-hosted runners without keytool	2024-11-28 07:36:28 +01:00
Antonio Aversa	94d4f8ac4a	SQSCANGHA-46 Replace the Docker action by a composite action	2024-11-12 14:17:50 +01:00
Benjamin Svobodny	fd8151470c	SQSCANGHA-3 Permission cleanup doesn't run if the scanner exits with a non-0 code (#33 )	2022-07-05 15:15:01 +02:00
Wouter Admiraal	7ed48e279f	Update action.yml	2021-05-17 08:28:26 +02:00
Wouter Admiraal	3e4828d307	Update marketing wording	2021-05-14 15:15:45 +02:00
Wouter Admiraal	71de302835	SONAR-14822 Provide a GitHub Action to scan a project	2021-05-14 10:14:11 +02:00

27 commits