Update SonarSource/sonarcloud-github-action digest to f170077

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/sonarcloud-github-action	action	digest	de2e56b -> f170077

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on updating the configuration of a GitHub Actions workflow for SonarCloud, a widely-used code quality and security platform. The key change is the update of the SonarSource/sonarcloud-github-action version, which is likely a newer version that may include bug fixes, new features, or security improvements.

From an application security perspective, the use of SonarCloud is a positive step, as it can help identify and address security vulnerabilities in the codebase. However, it's important to ensure that the SonarCloud configuration is set up correctly and that the necessary tokens and project information are properly configured. Additionally, it's worth reviewing the SonarCloud documentation and the specific configuration parameters used in the workflow, as they may have implications for the security and quality of the analysis.

Files Changed:

• .github/workflows/sonarcloud.yml: This file contains the configuration for the GitHub Actions workflow that triggers a SonarCloud analysis of the codebase and populates GitHub Code Scanning alerts with any vulnerabilities found. The key change in this pull request is the update of the SonarSource/sonarcloud-github-action version from de2e56b42aa84d0b1c5b622644ac17e505c9a049 to e44258b109568baa0df60ed515909fc6c72cba92.

Powered by DryRun Security

[guardrails]

⚠️ We detected 1 security issue in this pull request:

Hard-Coded Secrets (1)

Severity	Details	Docs
Medium	Title: SonarQube Docs API Key scsctl/.github/workflows/sonarcloud.yml Line 50 in 5b61b0d uses: SonarSource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92	📚

More info on how to fix Hard-Coded Secrets in General.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[dryrunsecurity]

DryRun Security Summary

The PR modifies the SonarCloud GitHub Actions workflow by updating action references and configurations, but contains missing project settings and potentially exposed internal information in workflow comments.

Expand for full summary

The PR updates the SonarCloud GitHub Actions workflow file, changing the action reference and configuring SonarCloud analysis secrets and permissions. Security findings include:

1. Potential configuration issue: SonarCloud project configuration (-Dsonar.projectKey and -Dsonar.organization) is blank, which may cause analysis execution failure (file: .github/workflows/sonarcloud.yml)

2. Potential information exposure: Workflow comments reveal internal process details about SonarCloud setup, including links to security pages (file: .github/workflows/sonarcloud.yml)

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[guardrails]

⚠️ We detected 1 security issue in this pull request:

Hard-Coded Secrets (1)

Severity	Details	Docs
Medium	Title: SonarQube Docs API Key scsctl/.github/workflows/sonarcloud.yml Line 50 in 12e27b7 uses: SonarSource/sonarcloud-github-action@eb211723266fe8e83102bac7361f0a05c3ac1d1b	📚

More info on how to fix Hard-Coded Secrets in General.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[github-actions]

Stale pull request message