Prohibiting GitHub actions/official-sonarqube-scan from uploading to sonarcloud.io

I’m running GitHub Enterprise Server (GHES) 3.17 and SonarQube Enterprise Edition v2025.1. I want to use the official GitHub Marketplace Action (actions/official-sonarqube-scan) in our GHES, but I have to make sure my users can’t accidentally upload source code to sonarcloud.io. I notice that the default value for SONAR_HOST_URL is https://sonarcloud.io, which makes me think that unless my users explicitly set SONAR_HOST_URL to the URL or our private SonarQube server, that they’ll unwittingly upload source to SonarCloud. Is this a reasonable concern?

There are two mitigations that I can think of: 1) edit the action after cloning to our GHES to change the default value of SONAR_HOST_URL, or 2) a user can’t actually upload to SonarCloud unless they have an account and have provided their credentials in their repository secrets/variables configuration.

Have others had this concern? How did you address it?

Hi,

While the action defaults to https://sonarcloud.io, a “blind” upload of source code is technically impossible because SonarCloud analysis requires an organization key and a token. If a user runs the action without setting SONAR_HOST_URL, the action will attempt to hit SonarCloud and the scan will fail immediately.

Thank you! I’ll see if we can get a local test going to verify. You’ve given me the confidence to proceed!