From fe5d6498c395830bbd79878fe13a604490b106ac Mon Sep 17 00:00:00 2001
From: deacon-mp <mperry@mitre.org>
Date: Mon, 18 May 2026 19:06:11 -0400
Subject: [PATCH] security(ci): pin SonarSource/sonarqube-scan-action to a
 commit SHA

We were referencing SonarSource/sonarqube-scan-action by mutable tag (@v6.0.0)
in both .github/workflows/quality.yml and the new .github/workflows/sonar-fork-pr.yml.
Mutable tags can be force-pushed; if SonarSource were ever compromised, an
attacker could rewrite v6.0.0 to point at a malicious commit and steal
SONAR_TOKEN (and, in quality.yml's case, GITHUB_TOKEN as well) on the next
CI run, with no commit hitting our tree.

Pin both call sites to the current v6.0.0 commit:

    SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602  # v6.0.0

Matches the SHA-pinning style used for actions/checkout, actions/setup-python,
actions/setup-node, actions/upload-artifact, actions/download-artifact, and
github/codeql-action elsewhere in this repo. Dependabot's GitHub-Actions
ecosystem will keep the SHA + tag-comment up to date going forward.

Reported externally on 2026-05-18 alongside the broader CI security pass.
---
 .github/workflows/quality.yml       | 2 +-
 .github/workflows/sonar-fork-pr.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index edcc90689..845f03b41 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -60,7 +60,7 @@ jobs:
 
       - name: SonarQube Scan
         if: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) }}
-        uses: SonarSource/sonarqube-scan-action@v6.0.0
+        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602  # v6.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/sonar-fork-pr.yml b/.github/workflows/sonar-fork-pr.yml
index 5316dc6bd..01fcfce10 100644
--- a/.github/workflows/sonar-fork-pr.yml
+++ b/.github/workflows/sonar-fork-pr.yml
@@ -138,7 +138,7 @@ jobs:
           fi
 
       - name: SonarQube Scan (fork PR, trusted base)
-        uses: SonarSource/sonarqube-scan-action@v6.0.0
+        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602  # v6.0.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}