mirror of
https://github.com/SonarSource/sonarqube-scan-action.git
synced 2026-05-22 18:05:57 +00:00
e8b2382915
Add GPG signature verification to ensure downloaded Sonar Scanner CLI binaries are authentic and haven't been tampered with. This implements supply chain security by verifying signatures against SonarSource's public key. Changes: - Add gpg-verification.js module with signature verification logic - Download and verify .asc signature files alongside scanner ZIPs - Import SonarSource public key from keyserver.ubuntu.com - Add skipSignatureVerification input parameter (default: false) - Add @actions/exec dependency for cross-platform GPG execution - Add comprehensive unit tests for verification functions - Update dist with bundled changes Verification is enabled by default and uses an isolated temporary GPG home directory to avoid polluting user's keyring. All temporary files are cleaned up properly, even on errors. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
25 lines
808 B
JSON
25 lines
808 B
JSON
{
|
|
"name": "sonarqube-scan-action",
|
|
"version": "6.0.0",
|
|
"description": "This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).",
|
|
"type": "module",
|
|
"main": "src/main/index.js",
|
|
"scripts": {
|
|
"build": "rollup --config rollup.config.js",
|
|
"test": "node --test"
|
|
},
|
|
"license": "LGPL-3.0-only",
|
|
"dependencies": {
|
|
"@actions/core": "3.0.0",
|
|
"@actions/exec": "2.0.0",
|
|
"@actions/github": "9.0.0",
|
|
"@actions/tool-cache": "4.0.0",
|
|
"string-argv": "0.3.2"
|
|
},
|
|
"devDependencies": {
|
|
"@rollup/plugin-commonjs": "29.0.2",
|
|
"@rollup/plugin-node-resolve": "16.0.3",
|
|
"mock-fs": "5.5.0",
|
|
"rollup": "4.60.1"
|
|
}
|
|
}
|