Hi all,
We’re using SonarCloud with automatic analysis of our GitHub Actions PRs. We’re experimenting with analysing terraform code, the first rule I tried to break (on purpose to test the PR checks) didn’t actually do so.
I’ve created a new PR in which I have added this deliberately bad code:
# TODO: Will this brake?
resource "azurerm_role_definition" "example" { # Sensitive
name = "example"
scope = "${data.azurerm_subscription.subscription.id}"
permissions {
actions = ["*"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.subscription.id
]
}
resource "azurerm_role_definition" "example2" { # Sensitive
name = "example2"
scope = data.azurerm_management_group.product_group.id
permissions {
actions = ["*"]
not_actions = []
}
assignable_scopes = [
data.azurerm_management_group.product_group.id
]
}
I was expecting two linting errors:
- terraform:S6385 - Azure custom roles should not grant subscription Owner capabilities
- terraform:S1135 - Track uses of “TODO” tags
SonarCloud detected terraform:S1135 however it did not detect terraform:S6385 even though the noncompliant code is the exact sample from the rule definition.
The project is configured to use the Sonar Way quality gate so should be including the rule.
Any help in debugging why this isn’t working would be appreciated.
Thanks,