actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2026-05-22 18:05:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
sonarqube-scan-action/action.yml
Claire Villard e8b2382915 SQSCANGHA-140 Implement OpenPGP signature verification for scanner downloads 
Add GPG signature verification to ensure downloaded Sonar Scanner CLI binaries
are authentic and haven't been tampered with. This implements supply chain
security by verifying signatures against SonarSource's public key.

Changes:
- Add gpg-verification.js module with signature verification logic
- Download and verify .asc signature files alongside scanner ZIPs
- Import SonarSource public key from keyserver.ubuntu.com
- Add skipSignatureVerification input parameter (default: false)
- Add @actions/exec dependency for cross-platform GPG execution
- Add comprehensive unit tests for verification functions
- Update dist with bundled changes

Verification is enabled by default and uses an isolated temporary GPG home
directory to avoid polluting user's keyring. All temporary files are cleaned
up properly, even on errors.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-27 17:54:16 +02:00

33 lines
1 KiB
YAML
Raw Blame History

name: Official SonarQube Scan
# Warning: changing name would change URL in the marketplace
description: >
Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
branding:
icon: check
color: green
inputs:
args:
description: Additional arguments to the Sonar Scanner CLI
required: false
default: ""
projectBaseDir:
description: Set the sonar.projectBaseDir analysis property
required: false
default: "."
scannerVersion:
description: Version of the Sonar Scanner CLI to use
required: false
# to be kept in sync with sonar-scanner-version
default: 8.0.1.6346
scannerBinariesUrl:
description: URL to download the Sonar Scanner CLI binaries from
required: false
default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
skipSignatureVerification:
description: Skip GPG signature verification (not recommended for security)
required: false
default: "false"
runs:
using: node24
main: dist/index.js
Reference in a new issue View git blame Copy permalink