In our environment, we are unable to use a direct connection to the internet. Instead, we rely on locally stored binaries or remote repositories that allow downloading files from the internet, which are then scanned and audited for security and compliance. Currently, we use our private Docker repository to download the scanner action image.
Since the release of version 4.X.X, we have encountered an issue with installing the sonar-scanner-cli. The installation process attempts to download binaries directly from https://binaries.sonarsource.com, which is not feasible in our setup.
Run sonarsource/sonarqube-scan-action@v4
Run ${GITHUB_ACTION_PATH}/sanity-checks.sh
Run actions/cache@v4.0.2
Cache not found for input keys: sonar-scanner-cli-6.2.1.4610-Linux-X64
Run ${GITHUB_ACTION_PATH}/install-sonar-scanner-cli.sh
+ mkdir -p /home/runner/_work/_temp/sonarscanner
+ cd /home/runner/_work/_temp/sonarscanner
+ wget --no-verbose --user-agent=sonarqube-scan-action https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-x64.zip
wget: unable to resolve host address ‘binaries.sonarsource.com’
Are you planning to provide some option to configure a base_url or similar setting? This would allow us to specify a remote repository for downloading the scanner binaries, accommodating environments with restricted internet access.
Hi @MarekU,
Thank you for reporting this issue to our community.
The new major version of the GitHub Action for SonarQube (v4.0.0) removes Docker, moving to a composite action. You can read here about the reasons which led us to make this change.
Are you planning to provide some option to configure a base_url or similar setting? This would allow us to specify a remote repository for downloading the scanner binaries, accommodating environments with restricted internet access.
We just tested the solution you suggest, and we think it’s a good way to fix the issue.
We are currently testing more thoroughly the solution in a variety of scenarios. Once done with the test, we are going to release a new minor version of the GitHub action with an additional parameter, for you to point to a custom repository of binaries.
While we work on it, we suggest you stay on v3, which is still fully functional. We will ping you here once we release v4.1.0, and we would be happy if you could test it and come back to us with any issues you may encounter.