I am looking for the recommended “best practice” for performing SonarCloud scans on Java/Gradle Pull Requests originating from forked repositories in a public GitHub repo.
The Challenge
GitHub restricts secrets access for the pull_request event to prevent malicious PRs from stealing tokens. However, Sonar analysis requires SONAR_TOKEN to post PR decoration comments and report status.
Current Strategy & Security Concerns
I am considering a two-workflow approach:
- Workflow A (
on: pull_request): Runs the build and tests on untrusted code (no secrets). Uploads thejacocoTestReport.xmland binaries as artifacts. - Workflow B (
on: workflow_run): Triggered by the completion of Workflow A. This runs in the context of the main branch and has access toSONAR_TOKEN.
The Security Gap: official-sonarqube-scan documentation recommends using the Gradle Plugin over the standalone SonarSource/sonarqube-scan-action Action for Gradle projects. However, if Workflow B executes ./gradlew sonar from the attacker’s checked-out code, they could have modified the build.gradle or the wrapper to exfiltrate the SONAR_TOKEN.
My Questions:
- Is there an “official” Sonar-sanctioned way to scan forks securely?
- How can I ensure the Pull Request decoration (comments) still works correctly when the scan is triggered via
workflow_run(which technically loses the PR context)?
Any guidance on the “Trusted Runner” pattern or alternative secure architectures would be greatly appreciated!