Hello,
We’re excited to announce that Sonar now supports the analysis of GitHub Actions workflow files! With this new capability, you can ensure your GitHub Actions follow best practices and maintain the highest standards of security.
Our analysis is aligned with the recommendations described in the GitHub Actions Security Best Practices.
This is is achieved thanks to 9 rules and more will come in the future:
Vulnerability
Security Hotspot
- Using external GitHub actions and workflows without a commit reference is security-sensitive.
- Expanding secrets in run blocks is security-sensitive.
- Passing the full secrets context to reusable workflows is security-sensitive.
- Passing the full secrets context is security-sensitive.
- Parsing structured data as a secret is security-sensitive.
- Checking out code from a fork in a privileged workflow context is security-sensitive.
Code Smell
This works when using the Scanner CLI. We are working to update our other Scanners to support this feature seamlessly.
Start analyzing your GitHub Actions workflows today on SonarQube Cloud to catch misconfigurations early and keep your CI/CD pipelines secure and efficient!
Enjoy
Alex