SC-48983 Set correct project key to fix sca check

[aleksandra-bozhinoska-sonarsource]

Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum "Suggest new features".

With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:

• Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make
• Use the following formatting style: SonarSource/sonar-developer-toolset
• If there is a JIRA ticket available, please make your commits and pull request start with the ticket ID (SQSCANNER-XXXX)

We will try to give you feedback on your contribution as quickly as possible.

Thank You!
The SonarSource Team

[hashicorp-vault-sonar-prod]

SC-48983

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
1 Fixed issue
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

Summary

This PR adds SonarSource's Supply Chain Analysis (SCA) metadata and makes a build configuration change to the Docker image.

The key change is adding .github/repo-metadata.yaml with the project key required for SCA checks to run correctly. A secondary change to the Dockerfile adds --only-binary=poetry to the pip install command, ensuring the Poetry package manager is installed from a pre-built binary rather than compiled from source.

The SCA check was previously failing due to a missing or incorrect project key—this fix registers the correct identifier for the scanner-cli-docker project.

What reviewers should know

Start by checking the repo-metadata.yaml file — this is the core fix for SC-48983. The project key value should match what's configured in SonarSource's SCA infrastructure.

The Dockerfile change is a safety/build improvement: --only-binary=poetry prevents pip from attempting to build Poetry from source, which can introduce unnecessary dependencies and potential supply chain risks. This aligns well with the broader SCA goals of the PR.

Note: The author's template was left in place but should ideally have been replaced with the actual rationale. Since this is an internal SonarSource contribution (fixing infrastructure), the minimal description is acceptable.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

LGTM! ✅

Clean, minimal PR — both changes are straightforward and correct. No issues found.

🗣️ Give feedback