Hi folks,
My organization (Powertools for AWS · GitHub) has been using SonarCloud with great success up until recently. We noticed that Sonar has stopped analysing pull requests that don’t originated from our repos, this seems to be a change of behaviour that started within about 3 weeks ago.
Examples:
- docs(idempotency): improve navigation, wording, and new section on guarantees by heitorlessa · Pull Request #4613 · aws-powertools/powertools-lambda-python · GitHub
- No analysis
- 2 weeks old PR
- merge from heitorlessa:docs to python-lambda-python:develop
- fix(event_handler): disable allow-credentials header when origin allow_origin is * by sthulb · Pull Request #4638 · aws-powertools/powertools-lambda-python · GitHub
- Has analysis
- 1 week old PR
- merge from python-lambda-python:bug-cors to powertools-lambda-python:develop
- fix(event_handler): do not skip middleware and exception handlers on 404 error by heitorlessa · Pull Request #4492 · aws-powertools/powertools-lambda-python · GitHub
- Has analysis
- 3 week old PR
- Merge from heitorlessa:fix/404-middleware to powertools-lambda-python:develop
Weirdly enough, we can see that SonarCloud still does these checks on other repositories (Fix NuGet credential provider using wrong role by vchikoti1998 · Pull Request #4646 · aws/aws-toolkit-jetbrains · GitHub from two days ago)
We’d like to understand the behaviour change – one of our main reasons for picking SonarCloud was it was an approved tool for SAST by OpenSSF (scorecard/docs/checks.md at main · ossf/scorecard · GitHub) but without the check on Pull Requests from external contributors, the use of the tool is some what limited for us.
Kind regars
Simon