False positive lock file requirement because of pyproject.toml

VShkaberda · May 22, 2026, 2:45pm

The repo contains a list of scripts deployed to S3 and used by AWS Glue. pyproject.toml is used to configure linters and triggers the Sonar rule text:S8565 “Python dependency lock file should be committed to source control”, which is a false positive because the environment is managed by AWS.
Minimal example of pyproject.toml:

[project]
name = "glue-etl"
version = "0.1.0"

[tool.isort]
profile = "black"
line_length = 120
skip = [
    ".git",
    "__pycache__",
]

teemu.rytilahti · May 29, 2026, 10:07am

Hi @VShkaberda & thanks for the feedback!

You are absolutely right, the analyzer logic in cases like yours is too eager to raise. I have already created a pull request to change the behavior to avoid raising an issue when the pyproject.toml is not used for dependency management, so this will be fixed in the very near future.

Best wishes,

Teemu R.

Topic		Replies	Views
False positive on githubactions:S8544 "Python dependencies should be locked to verified versions" SonarQube Cloud python , sonarqube-cloud	1	58	May 22, 2026
3rd party analysis in SonarQube advanced security SonarQube Server / Community Build sonarqube	1	54	February 9, 2026
Sonarqube CL scanner not catching Python smells SonarQube Server / Community Build scanner , coverage	3	406	February 16, 2024
Python project sonarsource/sonarqube-scan-action Timeout SonarQube Cloud sonarqube , python , github-actions	6	228	January 20, 2025
SonarCloud not detecting Python project configuration after importing the project SonarQube Cloud scanner , python , sonarqube-cloud	1	293	February 7, 2024

False positive lock file requirement because of pyproject.toml

Related topics