Skip to content

Include sonar cloud scan as part of linting #303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Include sonar cloud scan as part of linting #303

wants to merge 1 commit into from

Conversation

ssbarnea
Copy link
Member

No description provided.

@ssbarnea ssbarnea requested a review from a team as a code owner June 16, 2025 12:53
@github-actions github-actions bot added the bug Something isn't working label Jun 16, 2025
@ssbarnea ssbarnea added enhancement New feature or request and removed bug Something isn't working labels Jun 16, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 16, 2025
View reviewed changes
.github/workflows/tox.yml
if: matrix.name == 'lint' && (hashFiles('sonar-project.properties') != '' || env.SONAR_TOKEN != '') # 'if' cannot use 'secrets' context
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets[format('{0}', vars.SONAR_TOKEN_SECRET_NAME)] || secrets.SONAR_TOKEN }}

Check warning

Code scanning / CodeQL

Excessive Secrets Exposure Medium

All organization and repository secrets are passed to the workflow runner in
secrets[format('{0}', vars.SONAR_TOKEN_SECRET_NAME)] || secrets.SONAR_TOKEN
Loading

Copilot Autofix

AI 8 days ago

To fix the issue, we need to replace the dynamic secret access with explicit references to specific secrets. This ensures that only the required secrets are passed to the workflow runner, adhering to the principle of least privilege. The best approach is to define the secret explicitly in the workflow file, using a static reference like secrets.SONAR_TOKEN. If multiple environments or configurations are needed, separate workflows or conditional logic can be used to reference specific secrets explicitly.

Changes required:

  1. Replace secrets[format('{0}', vars.SONAR_TOKEN_SECRET_NAME)] with a static reference to the specific secret, e.g., secrets.SONAR_TOKEN.
  2. Remove the fallback || secrets.SONAR_TOKEN to avoid ambiguity and ensure only the required secret is used.
Suggested changeset 1
.github/workflows/tox.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
--- a/.github/workflows/tox.yml
+++ b/.github/workflows/tox.yml
@@ -241,3 +241,3 @@
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets[format('{0}', vars.SONAR_TOKEN_SECRET_NAME)]  || secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
EOF
@@ -241,3 +241,3 @@
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets[format('{0}', vars.SONAR_TOKEN_SECRET_NAME)] || secrets.SONAR_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
🧰 devtools project board
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ssbarnea