actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2026-05-22 18:05:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
sonarqube-scan-action/action.yml
Claire Villard e1c6b579ce SQSCANGHA-140 Add GPG signature verification for scanner downloads 
Implemented OpenPGP signature verification to ensure the integrity and authenticity of downloaded SonarQube scanner packages. This security enhancement protects against supply chain attacks.

Key implementation decisions:
  - GPG verification runs by default for all scanner downloads, with an optional skipSignatureVerification flag for environments where GPG is unavailable
  - Dual keyserver strategy: attempts primary keyserver (keyserver.ubuntu.com) with automatic fallback to keys.openpgp.org if the primary fails, improving reliability across different network environments
  - Platform-specific path handling: converts Windows paths to Unix-style format for GPG compatibility, as GPG from Git for Windows expects Unix-style paths even on Windows systems
  - Isolated verification: uses temporary GPG home directories to avoid polluting user keyring, with guaranteed cleanup in finally blocks to prevent temp file leakage even on verification failures
  - Security-first error handling: throws clear errors when GPG is absent or signatures fail, preventing silent security bypasses

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"
2026-04-28 15:44:49 +02:00

33 lines
1 KiB
YAML
Raw Blame History

name: Official SonarQube Scan
# Warning: changing name would change URL in the marketplace
description: >
Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
branding:
icon: check
color: green
inputs:
args:
description: Additional arguments to the Sonar Scanner CLI
required: false
default: ""
projectBaseDir:
description: Set the sonar.projectBaseDir analysis property
required: false
default: "."
scannerVersion:
description: Version of the Sonar Scanner CLI to use
required: false
# to be kept in sync with sonar-scanner-version
default: 8.0.1.6346
scannerBinariesUrl:
description: URL to download the Sonar Scanner CLI binaries from
required: false
default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
skipSignatureVerification:
description: Skip GPG signature verification (not recommended for security)
required: false
default: "false"
runs:
using: node24
main: dist/index.js
Reference in a new issue View git blame Copy permalink