Run SAST checks in CI #7674
Run SAST checks in CI #7674
Conversation
✅ Deploy Preview for inventree-web-pui-preview canceled.
|
|
This will require the enviroment variable |
| uses: SonarSource/sonarcloud-github-action@master | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |
There was a problem hiding this comment.
Q: when should this workflow execute? Are you aware, that this secret is never available with the pull_request trigger, due to protection mechanisms?
There was a problem hiding this comment.
This is 1:1 from the docs of SonarCloud, I trust that they validated this approach
https://github.com/SonarSource/sonarcloud-github-action?tab=readme-ov-file#usage
There was a problem hiding this comment.
Ok, interesting, GitHub itself tells something else, but happy to have learned something new.
|
@matmair |
|
Sonar / @agigleux have fixed the underlying issue, this is not needed anymore. @SchrodingersGat you can remove the secret |
|
Awesome, thanks @agigleux and Sonar! |
We are currently failing the SAST section of https://securityscorecards.dev/viewer/?uri=github.com/inventree/InvenTree because it seems like SonarCloud is not running on (all?) PRs. The easiest solution for this is to just run it in CI, this should also help to discover problematic code sooner.
This PR: