PR decoration shows broken images due to CSP

  • Using SonarQube developer; integrated with GitHub Enterprise 2.16.2; viewed using latest google chrome on windows.
  • I’ve integrated my SonarQube instance with my Github Enterprise server, so my pull requests are decorated (having both bot comments and a PR check). all good so far :slight_smile:
  • Problem: images on both the bot comment and the check page are broken. I believe it’s due to GitHub’s contents-security-policy, that prevent loading images from external sources as my sonarQube server. (when I’m using extensions like this to disable CSP, the images are shown correctly…)


Any idea how to overcome this? (can I e.g. customize the used images, e.g. to have them pointing to images located on my Enterprise Github server itself, so hopefully they can be served)?


Hi, if your SonarQube instance is not reachable from GHE, you are in the same situation as this thread. Is it the case?

well, it’s definitely reachable, as when I’m disabling CSP (e.g. using this chrome extension) the images are shown correctly.

BTW, having the images uploaded to the github enterprise server would definitely work…
Putting my developer hat for a second, it might be nice for the PR decoration code to do just that on the 1st decoration of a PR of a GH instance, and always use those stored references to images locations on GH.

Ah ok, that indeed a different issue then. What do you mean upload images to GH? Like in a repo?

well yes… it’s just a suggestion for a solution from SonarQube side :wink:
basically as a human user you can drag an image to a PR comment, and it will be loaded to GH (not to your repo, but to some shared/per user storage, e.g. as <GIT_URL>/storage/user/76/files/3029a580-a594-11ea-851d-4c875b7c7e9a).
Your PR comment will include a link to the above file. as this file sits inside your GH server, no problem with CSP!
Maybe the PR decoration code could do something similar (except the drag&drop part :slight_smile:): upload the relevant image to GH, and than the references to images on the sonar server can be replaced with references to those images on GH.

can you suggest a workaround, or is there an issue I can track for this to be solved?