I am one of the contributors to the OpenZFS project on github. Recently, I have been making a major push to run static analysis tools on the repository and fix the reports.
The project is particularly interested in being able to run static analysis tools on every pull request so that regressions in pull requests can be caught before they are merged, and SonarCloud looks like a good fit for that. Unfortunately, when I try to setup SonarCloud, it asks me to give access to SonarCloud to act on my behalf without any explanation of what this means.
A number of people trust me to safeguard my github account against compromise and it only takes a single incident to destroy people’s trust, so I am very cautious about granting third parties permission to act on my behalf. The issue could be somewhat mitigated by making another github account, but if I recall, that is against Github’s ToS, so I cannot do that.
What are the security implications of signing up with sonarcloud (e.g. to what extent can a bad actor cause harm to my github projects if sonarcloud is compromised) and how I can mitigate them as much as possible?
Also, yesterday, the project adopted CodeQL via a github workflow. This required no special permission to act own my behalf, so I am a bit confused why SonarCloud needs it. Why does SonarCloud need special permission to act on my behalf when CodeQL does not?