We’re excited to announce that Sonar now supports the analysis of GitHub Actions workflow files! With this new capability, you can ensure your GitHub Actions follow best practices and maintain the highest standards of security.
This works when using the Scanner CLI. We are working to update our other Scanners to support this feature seamlessly.
Start analyzing your GitHub Actions workflows today on SonarQube Cloud to catch misconfigurations early and keep your CI/CD pipelines secure and efficient!
Anohter great addition, and similar to my question on the new secrets scanning:
Do you have any ETA for the DOTNET scanner?
What what version of SonarQube Server is required?
What version of the CLI scanner is required?
Does it only look at the .github folder or will it look at any files in the analysis scope? We have a repo just full of reusable github actions and workflows and they aren’t all in the .github folder
Bonus question - how do you see this being used? The two options really are:
Part of a code build which does scanning - now it can include the workflow filws
A completely separate “build” that only monitors the .github folder and has it’s own Sonar project just for that?
Whilst both are likely possible, I am wondering how you guys envisage it being used.
So you are suggesting a separate scan using the CLI scanner for now to a completely separate Sonar Project, but in the future when the DONET scanner is donet, roll it all into one project.
ie, you wouldn’t keep the github action scanning in a separate project.
Technically it does not affect the quality of the built code so that may not be appropriate - though it does of course affect the ability to build the code! This is why I was asking for guidance - there is no immediately obvious answer to this as you could look at it from multiple perspectives
Would appreciate answers to the other questions I raised too, in the initial bullet points