Make sure to read this post before raising a thread here:
Then tell us:
- What language is this for?
- Which rule?
- Why do you believe it’s a false-positive/false-negative?
- Are you using
- SonarQube Cloud?
- SonarQube Server / Community Build - which version?
- SonarQube for IDE - which IDE/version?
- in connected mode with SonarQube Server / Community Build or SonarQube Cloud?
- How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
I am using SonarQube Cloud and have a false-positive showing up because my custom quality profile is not taking effect.
Rule affected: githubactions:S7637 - language GitHub Actions
I want this rule to be applied only to third-party actions, and not when referencing actions internally. The rule provides a trustedPrefixes parameter which I have over-ridden in my custom quality profile to add to the list of trusted prefixes.
Built-in ‘Sonar way’ quality profile has trustedPrefixes ./,actions/,github/
My custom quality profile has trustedPrefixes ./,actions/,github/,MyOrgName/
I have tried applying this custom quality profile for the github-actions language to specific projects, and then applying it as the default across the organisation. In both cases, I still see security hotspots raised against this rule, for snippets like the below:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ secrets.MY_SECRET }}
- uses: MyOrgName/shared-actions/.github/actions/setup-just@main
The security hotspot is raised against the 2nd action here. The first action is ignored properly as it begins with actions/ and that’s in trustedPrefixes.