Security Advisory: SonarQube Scanner GitHub Action

ganncamp · August 29, 2025, 4:57pm

Update 9/25/2025: Please read this follow-up post:

Hi all,

We’ve found a security vulnerability in our SonarQube Scanner GitHub Action, and we’ve already released a patch to fix it.

What You Need to Do

Please update your SonarQube Scanner GitHub Action to v5.3.1. This new version is applicable for both Cloud and Server customers and includes a security fix that will help protect your workflows. If your workflow uses dynamically computed arguments, you will additionally need to switch to using supported syntax for expressions in GitHub Actions.

If your workflow references sonarqube-scan-action@v5, it will automatically use the patched version, and no further action is required.

Update (September 2, 2025):

See the latest information here:

mskfrc · August 29, 2025, 6:14pm

Is the Azure DevOps extension for SonarQube Cloud affected by this vulnerability as well? If so, what version should AzDO users upgrade to?

Thanks!

CTOUsingEclipse · August 29, 2025, 6:20pm

Is this limited to the GitHub action and therefore our scans using the maven scanner are not impacted?

ganncamp · August 29, 2025, 6:32pm

Hi all,

This is just about the GitHub Action. Your use of any other SonarScanner is not impacted. Altho we do generally recommend you try to stay on the latest version of your scanner, there are no known security impacts for any other scanner at this time.

HTH,
Ann

daf · August 29, 2025, 6:34pm

Can you share anything about what the vulnerability was? Or at the very least, if it was exploited, what we should be looking for?

ganncamp · August 29, 2025, 6:36pm

Hi,

We’re not aware of any exploits. And again

HTH,
Ann

Jagrit · August 29, 2025, 6:45pm

We are using SonarCloud, linking our project with GitHub directly, but we have not written or configured any .yml file for GitHub Actions (i.e., we are not actively using the SonarQube Scanner GitHub Action in our workflow). Could you please confirm whether this vulnerability impacts SonarCloud users in our situation?

ganncamp · August 29, 2025, 6:50pm

Hi @Jagrit,

Welcome to the community!

This only impacts the use of the SonarScanner GitHub Action.

Again,

HTH,
Ann

laneg · August 29, 2025, 8:28pm

Could you please provide the following critical details:

Severity Level: What is the CVSS score or severity rating of this vulnerability?
Attack Vector & Exploitability:
- Is this remotely exploitable?
- Does it require authentication?
- What level of access could an attacker gain?
Specific Impact:
- What exactly is vulnerable?
- Could this expose secrets, environment variables, or repository contents?
- Are build artifacts at risk?
Affected Versions: Which versions prior to v5.3.1 are affected?
How would we know if this vulnerability has been exploited in our workflows?
Timeline: When was this vulnerability discovered and how long have affected versions been in use?

While you mention “no evidence of exploitation,” understanding the actual risk profile would help us prioritize this update appropriately, especially heading into a weekend.

daf · August 29, 2025, 8:52pm

Exactly. Given the complete lack of transparency here, I’m not at all reassured by the fact that Sonar has no evidence that this vulnerability, whatever it is, was not exploited. I need to know whether I should be spending my weekend rotating secrets or whether this is a nothing burger. What a horrible way to announce this, and on a (US) holiday weekend no less.

ganncamp · August 29, 2025, 9:34pm

Hi all,

Thanks for your candid feedback, and sorry for the mystery. We’ve begun the process to file the CVE, and will report back as soon as we have a number. Unfortunately, we won’t be able to share anything more until we have that.

In the meantime - and without prematurely releasing sensitive details so that everyone has an opportunity to do the update - we can say we believe this is “high” severity. Versions since v4.0.0 are impacted.

(And we’ll be taking the learnings from this on board in our retrospective. They’ll definitely impact our operations going forward.)

Ann

pcolby · August 29, 2025, 11:26pm

What does this mean? I am aware of GiHub Actions’ expressions syntax, but what are “dynamically computed arguments” in this context? The two don’t seem mutually exclusive to me, so what does it mean to be switching from one to the other? Can you at least provide some simple example of needed change? That would help a lot.

Thanks!

pcolby · August 29, 2025, 11:38pm

Ok, I figured out that you mean the args input on the Sonar action.

Needing to change, for example, from:

--define sonar.cfamily.compile-commands="$RUNNER_TEMP/sonar/compile_commands.json"

to

--define sonar.cfamily.compile-commands=${{ runner.temp }}/sonar/compile_commands.json

Presumably because environment variables are no longer be expanded within the Action’s handling of args.

That’s fine for me, in this case, but I will just note that expanding GitHub context variables this way does not perform any shell parameter escaping, so it would fail with spaces in paths, for example.

WIStudent · August 30, 2025, 11:10am

You should also release an update for the deprecated SonarSource/sonarcloud-github-action. Currently it still delegates to a vulnerable version of SonarSource/sonarqube-scan-action inside its action.yml:

    - name: SonarQube Cloud Scan
      uses: SonarSource/sonarqube-scan-action@v5.0.0
      with:
        args: ${{ inputs.args }}
        projectBaseDir: ${{ inputs.projectBaseDir }}
        scannerVersion: ${{ inputs.scannerVersion }}
        scannerBinariesUrl: ${{ inputs.scannerBinariesUrl }}

WIStudent · August 30, 2025, 11:21am

Unfortunately, we won’t be able to share anything more until we have that.

In the meantime - and without prematurely releasing sensitive details so that everyone has an opportunity to do the update - we can say we believe this is “high” severity. Versions since v4.0.0 are impacted.

Just as a side note: The code of the SonarSource/sonarqube-scan-action and the changes on it are public, so anyone can lookup how the vulnerability was fixed, and from there figure out how the previous versions can be exploited. So you should assume that the knowledge of how to exploit it is aleady out there.

evanw · August 31, 2025, 12:21am

+1; withholding further information at this point is just a form of security through obscurity (i.e. ineffective) and prevents those of us who are affected from properly assessing the level of risk and impact without taking Sonar’s word for it.

Respectfully, I strongly encourage the Sonar team to not wait for a retrospective before enacting changes - this current situation easily be improved with simple disclosure like was suggested above.

zorro · August 31, 2025, 3:35pm

We are using “sonarsource/sonarqube-scan-action@master” this automatically take the latest version?

danielfn · September 1, 2025, 6:47am

IMHO there is no point in not disclosing this right away when it’s already in plain sight:

github.com/SonarSource/sonarqube-scan-action

SQSCANGHA-101 Add more input injection tests

master ← task/abozhinoska/SQSCANGHA-101/add-input-injection-tests

opened 01:11PM - 21 Aug 25 UTC

aleksandra-bozhinoska-sonarsource

+110 -9

[SQSCANGHA-101](https://sonarsource.atlassian.net/browse/SQSCANGHA-101) Ple…ase be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features). With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing: - [ ] Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make - [ ] Make sure any code you changed is covered by tests - [ ] If there is a [JIRA](http://jira.sonarsource.com/browse/SONAR) ticket available, please make your commits and pull request start with the ticket ID (SONAR-XXXX) We will try to give you feedback on your contribution as quickly as possible. Thank You! The SonarSource Team [SQSCANGHA-101]: https://sonarsource.atlassian.net/browse/SQSCANGHA-101?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

There are even test cases in the repo that show exactly how to exploit the vulnerability: a potential command injection caused by unsanitized arguments.

github.com/SonarSource/sonarqube-scan-action

.github/workflows/qa-main.yml

master


      
          backtickCommandInjectionTest:
            name: >
              'args' input with backticks injection does not execute command
            strategy:
              matrix:
                os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
            runs-on: ${{ matrix.os }}
            steps:
              - uses: actions/checkout@v5
                with:
                  token: ${{ secrets.GITHUB_TOKEN }}
              - name: Run action with args
                uses: ./
                continue-on-error: true
                with:
                  args: >
                    -Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5="   `whoami`   " -Dsonar.arg6="test\`echo injection\`test"
                env:
                  SONAR_HOST_URL: http://not_actually_used
                  SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'

This file has been truncated. show original

Since this is an open-source repository, a bad actor could figure out the vulnerability in minutes. In this case, withholding information does more harm than good by not being completely transparent with customers from the start.

Colin · September 1, 2025, 3:56pm

Yes, @master takes the latest commit, which includes the fix. And, we generally recommend not pinning to master, since there might eventually be a breaking change. I’d reccomend using @5.

Colin · September 1, 2025, 10:39pm

Hey everyone,

A few updates:

First of all, thank you to everyone who provided feedback on our communication. We’re taking your feedback seriously and will be reviewing our vulnerability disclosure procedures and policies.

Secondly, we now have additional details to share:

CVE Number: CVE-2025-58178 has been assigned to this vulnerability

Vulnerability Type: Command Injection via unsanitized arguments

CVSS v3.1 Score: 7.8

GitHub Security Advisory: We’ve published a GitHub Security Advisory which means Dependabot users will automatically receive alerts and pull requests to update

Affected Versions: All versions from v4.0.0 up to v5.3.0

Action Required:

Update to v5.3.1 (fixed version)
If using sonarqube-scan-action@v5, you’re already receiving the patched version automatically
For those using dynamically computed arguments in the args field of sonarqube-scan-action, please update to use GitHub Actions expression syntax

Topic		Replies	Views
Github actions yml script use sonarcloud point "Project was never analyzed" SonarQube Cloud sonarqube	1	1663	December 4, 2019
Sonar Scanner For MS Build .Net Core from inside Docker - Pull request analyzed but NOT decorated/completed SonarQube Cloud scanner	13	4191	November 15, 2019
Per PR decoration is not working SonarQube Cloud github-checks	7	2400	March 5, 2020
SonarCloud integration with GitHub Enterprise SaaS Suggest new features github , sonarqube-cloud	0	301	March 22, 2021
Cannot get PR decoration working with SonarQube Enterprise SonarQube Server / Community Build sonarqube , github	23	7615	May 22, 2020

Security Advisory: SonarQube Scanner GitHub Action

What You Need to Do

Related topics