- ALM used: GitHub
- CI system used: GitHub Actions
- Scanner command used when applicable:
mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=org_project
- Languages of the repository: Java
Hi community,
I’m setting up safe analysis of a GitHub project for pull requests via GitHub Actions, according to Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests | GitHub Security Lab. This works in two steps:
- On a PR, run Workflow 1:
- Run the build, including tests, in an unprivileged environment
- Upload the project (including
target/
, etc.) and the PR number (see GitHub tutorial above) as an artifact
- Listen to the completion of Workflow 1, then run Workflow 2 with privilieges (access to tokens; note: this doesn’t have the PR context!):
- Download and unzip the artifact
- On the downloaded project, run
mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=org_project
- Query the Sonarcloud Web API to retrieve measures, e.g.,
curl -u "$SONAR_TOKEN": "https://sonarcloud.io/api/measures/component?component=org_project&metricKeys=new_bugs,new_vulnerabilities,new_security_hotspots" -o measures.json
This is all good and well, and gives me the measures I want, but I cannot be sure if these are the measures from the workflow run in which I run the Maven Plugin.
Is there a way to retrieve these measures deterministically for a specific run?
In /api/measures/component
, I have the following parameters:
-
additionalFields
: Can I set an additional field via the Maven plugin to identify the measures via this? -
branch
: The analysis is run as if it was on the default branch, unusable -
component
: -
metricKeys
: -
pullRequest
: I have the PR number, but the analysis isn’t run on the PR itself, but in a privilieged “context-less” environment.
I have tried mvn -B sonar-maven-plugin:sonar ... -Dsonar.analysis.customid="$(cat ../pr/NR)_$GITHUB_RUN_ID"
, but am unsure if I can/how to retrieve measures via this customid
.
Thanks for any help with this!