Hello,
We’ve made a massive improvement to how we analyze your Shell/Bash code, and it’s a huge win for everyone using Docker and GitHub Actions.
What changed?
Before, if you ran Bash commands inside your Dockerfiles or GHA workflows, we had to use a lightweight parser, it got the job done, but it definitely had limits.
Now, we’ve unified everything under the hood! It all runs on our powerful, robust Bash analyzer. This means you get consistent, reliable issue detection everywhere, regardless of whether your Bash is in an sh file, a Dockerfile, or a GitHub Action step. No more “light” parsers!
Plus, your security just got better. We’re shipping 7 brand-new security rules that work across Bash scripts and Bash-related commands:
- Server certificates should be verified during SSL/TLS connections
- Weak SSL/TLS protocols should not be used
- Allowing downgrades to a clear-text protocol is security-sensitive
- Allowing shell scripts execution during package installation is security-sensitive
- Using clear-text protocols is security-sensitive
- Using weak hashing algorithms is security-sensitive
- Setting loose POSIX file permissions is security-sensitive
We’re really excited about this one, it brings a new level of consistency and security to your scripting!
This is available now on SonarQube Cloud and soon with SonarQube Server 2025.6
Alex