False positive on githubactions:S8544 "Python dependencies should be locked to verified versions"

Nicolas_Baumann · May 13, 2026, 6:29am

Hi,

I’m using SonarQube cloud on Github.
This rule is labelled beta "The rule has been recently implemented and we haven’t gotten enough feedback from users yet, so there may be false positives or false negatives."

It seems to be a false positive as the warning is raised even though I’ve pinned the version:

pip install playwright==1.59.0 --only-binary :all:

Using dependencies without locking resolved versions is security-sensitive.

Please see public link:

Thanks,

Nicolas Baumann.

teemu.rytilahti · May 22, 2026, 2:28pm

Hi @Nicolas_Baumann and thanks for the feedback!

You are right, the parser logic was incorrectly considering :all: as a package name, and thus raising an issue as there was no version specifier for it.

This will be fixed in the next release, thanks for letting us know and have a nice weekend!

Best wishes,

Teemu R.

Topic		Replies	Views
False positive lock file requirement because of pyproject.toml SonarQube Cloud python , sonarqube-cloud	1	60	May 29, 2026
Bitbucket Pipe - Rules version SonarQube Cloud scanner , bitbucket , rules	1	78	February 17, 2025
Rules to reduce supply chain risks Suggest new features sonarqube	3	58	May 28, 2026
Security hotspot on azure-pipelines.yml (azurepipelines:S7637) SonarQube Cloud azuredevops-services , security-hotspot	3	119	May 28, 2026
Eslint-plugin-sonarjs: Use ranges, don't pin dependency versions in package.json SonarQube for IDE eslint	1	147	January 20, 2025

False positive on githubactions:S8544 "Python dependencies should be locked to verified versions"

Related topics