Skip to content

fix: resolve SonarQube script injection and permission issues#41

Merged
lachen-nv merged 1 commit into
mainfrom
fix/sonarqube-security-issues
Apr 16, 2026
Merged

fix: resolve SonarQube script injection and permission issues#41
lachen-nv merged 1 commit into
mainfrom
fix/sonarqube-security-issues

Conversation

@lachen-nv

@lachen-nv lachen-nv commented Apr 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Move ${{ inputs.* }} from run: blocks to env: blocks to prevent GitHub Actions script injection (SonarQube rule S7630)
  • Move workflow-level permissions to job-level for least-privilege principle (SonarQube rules S8264/S8233)
  • Only build-and-push-images job retains packages: write; all others get read only

Resolves 16 BLOCKER + 2 MAJOR SonarQube findings across 4 files:

File Issues Fixed
security-container-scan/action.yml 3 BLOCKER (S7630)
slack-notify/action.yml 9 BLOCKER (S7630)
promote-image.yml 7 BLOCKER (S7630)
build-cds-containers.yml 2 MAJOR (S8264/S8233)

No breaking changes — action interfaces (inputs/outputs) are unchanged. Callers do not need to update.

Test plan

  • Verify security-container-scan action works in a workflow run
  • Verify slack-notify action sends messages correctly
  • Verify promote-image workflow copies images between registries
  • Verify build-cds-containers workflow builds and pushes to GHCR
  • Re-run SonarQube scan on this branch to confirm 0 BLOCKER/MAJOR issues

🤖 Generated with Claude Code

@lachen-nv @claude
fix: resolve SonarQube script injection and permission issues
2459091 
Move ${{ inputs.* }} from run blocks to env blocks to prevent GitHub
Actions script injection (S7630). Move workflow-level permissions to
job-level for least-privilege (S8264/S8233).

Resolves 16 BLOCKER + 2 MAJOR SonarQube findings.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mmou-nv
mmou-nv approved these changes Apr 16, 2026
View reviewed changes

@mmou-nv mmou-nv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@lachen-nv lachen-nv merged commit 998302b into main Apr 16, 2026
2 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 16, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mmou-nv mmou-nv mmou-nv approved these changes
@huaweic-nv huaweic-nv Awaiting requested review from huaweic-nv huaweic-nv is a code owner
@abegnoche abegnoche Awaiting requested review from abegnoche abegnoche is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lachen-nv @mmou-nv