Skip to content

SonarCloud: GitHub Actions / dependency hardening #623

Description

@don-petry

SonarCloud: GitHub Actions / dependency hardening

13 open SonarCloud finding(s) in petry-projects/.github, worst severity MAJOR. Generated by the org SonarCloud Audit.

View in SonarCloud →

Findings

Rule Count Representative message
githubactions:S8541 5 Omitting "--only-binary :all:" can lead to the execution of setup scripts. Make sure it is
githubactions:S8544 3 Using dependencies without locking resolved versions is security-sensitive.
githubactions:S6505 2 "npx" can install packages on-demand and run their lifecycle scripts.
githubactions:S8545 2 Dependency versions are not predictable. Use a lock-file enforcing command instead.
githubactions:S8543 1 Define exact package version to avoid installing unverified releases.

Affected files

  • .github/workflows/ci.yml (4)
  • .github/workflows/dependency-audit-reusable.yml (2)
  • .github/workflows/dependency-audit.yml (2)
  • .github/workflows/feature-ideation-reusable.yml (2)
  • .github/workflows/feature-ideation-tests.yml (2)
  • .github/workflows/agent-shield-reusable.yml (1)

Priority

Labeled priority:major — mapped from this bucket's worst SonarCloud severity (MAJOR).

Acceptance

  • All findings in this workstream resolved to zero in SonarCloud
  • No behavior change; CI green
  • Real fixes (no blanket NOSONAR unless a confirmed false positive, noted inline)

Idempotent issue — updated automatically each audit run; auto-closed when the finding count reaches zero.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dev-leadFor dev-lead agent pickupdev-lead:needs-humandev-lead could not complete this issue; needs human attentionpriority:majorSonarCloud MAJOR severitysecuritySecurity-related PRs and issuessonarcloud-auditSonarCloud audit finding (idempotent marker)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions