Summary
Two related security issues exist in .github/workflows/sonarcloud-analysis.yml.
- dawidd6/action-download-artifact is pinned to v5, which is vulnerable to artifact poisoning via forks (Dependabot alert, patched in v6)
- The SonarCloud build and analysis steps use the pull_request_target trigger, which runs in a privileged context and should not be combined with externally-sourced artifacts
What to do
- Upgrade
action-download-artifact to v6
- Replace pull_request_target with pull_request (see for example https://github.com/com-pas/compas-cim-mapping)
Acceptance criteria
action-download-artifact upgraded to v6 or later- Trigger changed from pull_request_target to pull_request
- Dependabot alert resolved
- SonarCloud analysis still passes on PRs
Summary
Two related security issues exist in .github/workflows/sonarcloud-analysis.yml.
What to do
action-download-artifactto v6Acceptance criteria
action-download-artifactupgraded to v6 or later