I’ve been looking at how to use Sonar with GH Actions and one of my concerns is that we have to use a secret Token which will then become available to the PR actions as documented here:
To me this is a security risk, especially on public repositories, because once SONAR_TOKEN is available in the environment then it is fairly trivial for a malicious actor to update the logic in the action, or in code called by the action, to then export the token and publish it somewhere else, even in the log (it is easy to escape the secrets filtering by reversion the token, base 64 encode it or even by using ROT13 to name a few) and then the secret will be publicly visible in the log output of the actions.
One way that pypi.org fixes this issue is by adding trusted publishers which does not use any token at all. The way it works is that when a new release is triggered, the pypi.org api gets a notification and will then go to the GH.com to fetch the release. It only fetch the new release if from the official repo and from an approved pipeline.
It would require some changes on how the scanner works but it would increase the security posture and decouple the analysis from being tied to a real user account.
https://docs.pypi.org/trusted-publishers/adding-a-publisher/