security(ci): pin SonarSource/sonarqube-scan-action to commit SHA (defense against mutable-tag supply-chain)#3379
Merged
Conversation
We were referencing SonarSource/sonarqube-scan-action by mutable tag (@v6.0.0)
in both .github/workflows/quality.yml and the new .github/workflows/sonar-fork-pr.yml.
Mutable tags can be force-pushed; if SonarSource were ever compromised, an
attacker could rewrite v6.0.0 to point at a malicious commit and steal
SONAR_TOKEN (and, in quality.yml's case, GITHUB_TOKEN as well) on the next
CI run, with no commit hitting our tree.
Pin both call sites to the current v6.0.0 commit:
SonarSource/sonarqube-scan-action@fd88b7d # v6.0.0
Matches the SHA-pinning style used for actions/checkout, actions/setup-python,
actions/setup-node, actions/upload-artifact, actions/download-artifact, and
github/codeql-action elsewhere in this repo. Dependabot's GitHub-Actions
ecosystem will keep the SHA + tag-comment up to date going forward.
Reported externally on 2026-05-18 alongside the broader CI security pass.
Contributor
There was a problem hiding this comment.
Pull request overview
Pins the third-party SonarQube scan GitHub Action to an immutable commit SHA in workflows that run with SONAR_TOKEN (and sometimes GITHUB_TOKEN), reducing exposure to mutable-tag supply-chain attacks.
Changes:
- Updated
.github/workflows/quality.ymlto use a commit-SHA pin forSonarSource/sonarqube-scan-action(annotated with# v6.0.0). - Updated
.github/workflows/sonar-fork-pr.ymlto use the same commit-SHA pin for the SonarQube scan step.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/quality.yml | Replaces SonarSource/sonarqube-scan-action@v6.0.0 with a commit SHA pin while keeping the same scan behavior/conditions. |
| .github/workflows/sonar-fork-pr.yml | Replaces SonarSource/sonarqube-scan-action@v6.0.0 with a commit SHA pin in the trusted fork-PR scan workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`SonarSource/sonarqube-scan-action@v6.0.0` was referenced by mutable tag in two workflows that hold `SONAR_TOKEN` (and, for `quality.yml`, `GITHUB_TOKEN` too):
Tags are mutable. If SonarSource's org/account were ever compromised, an attacker could force-push `v6.0.0` to a malicious commit and exfiltrate `SONAR_TOKEN` on the next CI run, without a single line hitting our tree. This is exactly the supply-chain class GitHub recommends pinning by SHA to defend against.
Fix
Both call sites now reference the current `v6.0.0` commit by SHA:
```yaml
uses: SonarSource/sonarqube-scan-action@fd88b7d # v6.0.0
```
Matches the SHA-pinning style already used in this repo for `actions/checkout`, `actions/setup-python`, `actions/setup-node`, `actions/upload-artifact`, `actions/download-artifact`, and `github/codeql-action`. Dependabot's GitHub-Actions ecosystem will keep the SHA + tag-comment up to date going forward.
Test plan
Refs