Harden SonarCloud workflow: scope permissions, fix injection vectors#1057
Open
efiacor wants to merge 3 commits into
Open
Harden SonarCloud workflow: scope permissions, fix injection vectors#1057efiacor wants to merge 3 commits into
efiacor wants to merge 3 commits into
Conversation
- Move permissions from workflow level to job level (least privilege) - Remove unused checks:write permission - Move clone_url expression to env var (consistent with other hardening) - Add missing -Dproject.settings to push scan step Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
efiacor
requested review from
kispaljr,
liamfallon and
mozesl-nokia
as code owners
✅ Deploy Preview for kpt-porch ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dosubot
Bot
added
the
size:XS
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the SonarCloud/SonarQube GitHub Actions workflow by scoping GITHUB_TOKEN permissions per job and reducing injection risk in shell steps, while ensuring the scan uses the repository’s sonar-project.properties.
Changes:
- Scoped workflow token permissions at the job level.
- Switched checkout to use
head_shaand moved dynamic values used inrun:blocks into environment variables. - Ensured the push scan loads
sonar-project.propertiesvia-Dproject.settings.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
Address Copilot review comments: - Pin all third-party actions to commit SHAs (latest releases) - Add actions:read permission to sonarqube job for artifact downloads - Remove debug echo event step (leaks PR metadata to logs) Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
|
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
checks:write, movedclone_urlto env var, added missing-Dproject.settingsto push scanrun:blocks is replaced with env vars. Push scan now loadssonar-project.propertiesfor correct source/coverage config.Related Issue(s)
Type of Change
Checklist
Testing Instructions (Optional)
AI Disclosure
If so, please describe how: