actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2026-05-22 18:05:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
sonarqube-scan-action/package.json
Claire Villard e1c6b579ce SQSCANGHA-140 Add GPG signature verification for scanner downloads 
Implemented OpenPGP signature verification to ensure the integrity and authenticity of downloaded SonarQube scanner packages. This security enhancement protects against supply chain attacks.

Key implementation decisions:
  - GPG verification runs by default for all scanner downloads, with an optional skipSignatureVerification flag for environments where GPG is unavailable
  - Dual keyserver strategy: attempts primary keyserver (keyserver.ubuntu.com) with automatic fallback to keys.openpgp.org if the primary fails, improving reliability across different network environments
  - Platform-specific path handling: converts Windows paths to Unix-style format for GPG compatibility, as GPG from Git for Windows expects Unix-style paths even on Windows systems
  - Isolated verification: uses temporary GPG home directories to avoid polluting user keyring, with guaranteed cleanup in finally blocks to prevent temp file leakage even on verification failures
  - Security-first error handling: throws clear errors when GPG is absent or signatures fail, preventing silent security bypasses

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"
2026-04-28 15:44:49 +02:00

25 lines
841 B
JSON
Raw Blame History

{
"name": "sonarqube-scan-action",
"version": "6.0.0",
"description": "This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).",
"type": "module",
"main": "src/main/index.js",
"scripts": {
"build": "rollup --config rollup.config.js",
"test": "node --experimental-test-module-mocks --test"
},
"license": "LGPL-3.0-only",
"dependencies": {
"@actions/core": "3.0.0",
"@actions/exec": "2.0.0",
"@actions/github": "9.0.0",
"@actions/tool-cache": "4.0.0",
"string-argv": "0.3.2"
},
"devDependencies": {
"@rollup/plugin-commonjs": "29.0.2",
"@rollup/plugin-node-resolve": "16.0.3",
"mock-fs": "5.5.0",
"rollup": "4.60.1"
}
}
Reference in a new issue View git blame Copy permalink