Skip to content

BUILD-7995 Security hardening#37

Merged
SamirM-BE merged 3 commits intomasterfrom
feat/smarini/BUILD-7995-ImproveSecurityPosture
Jul 1, 2025
Merged

BUILD-7995 Security hardening#37
SamirM-BE merged 3 commits intomasterfrom
feat/smarini/BUILD-7995-ImproveSecurityPosture

Conversation

@SamirM-BE
Copy link
Copy Markdown
Contributor

@SamirM-BE SamirM-BE commented Jun 26, 2025
edited
Loading

  • BUILD-7995 Move inputs to environment variables instead of direct interpolation and Quote all variable usage to prevent command injection
  • BUILD-7995 Avoid writing not trusted data to env file
  • BUILD-7995 Fix CODEOWNERS misconfiguration - Add explicit ownership of .github/CODEOWNERS file itself

tested with https://github.com/SonarSource/sonar-dummy/actions/runs/15910686917/job/44877865418?pr=440

@SamirM-BE SamirM-BE changed the title BUILD-7995 Security hardening" BUILD-7995 Security hardening Jun 26, 2025
@SamirM-BE SamirM-BE force-pushed the feat/smarini/BUILD-7995-ImproveSecurityPosture branch from 82e3b51 to 29ac50d Compare June 26, 2025 19:14
@SamirM-BE
BUILD-7995 Fix CODEOWNERS misconfiguration
d8da4a8 
- Add explicit ownership of .github/CODEOWNERS file itself
@SamirM-BE SamirM-BE force-pushed the feat/smarini/BUILD-7995-ImproveSecurityPosture branch from 29ac50d to d8da4a8 Compare June 26, 2025 19:38
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Jun 26, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@SamirM-BE SamirM-BE marked this pull request as ready for review June 26, 2025 20:10
Copilot AI review requested due to automatic review settings June 26, 2025 20:10
@SamirM-BE SamirM-BE requested a review from a team as a code owner June 26, 2025 20:10
Copilot AI reviewed Jun 26, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements security hardening by moving input values to environment variables, ensuring variable usage is properly quoted to prevent command injection, and correcting CODEOWNERS configuration.

  • Refactored input handling in action.yml by exporting inputs to environment variables.
  • Updated subsequent usage of these variables in commands and cache keys, including improvements to log output management.
  • Fixed CODEOWNERS misconfiguration by specifying explicit ownership for the file.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
action.yml Reworked input handling and variable quoting to enhance security.
.github/CODEOWNERS Added explicit ownership for the CODEOWNERS file to fix misconfiguration.

@SamirM-BE SamirM-BE merged commit 0ecedc4 into master Jul 1, 2025
10 checks passed
@SamirM-BE SamirM-BE deleted the feat/smarini/BUILD-7995-ImproveSecurityPosture branch July 1, 2025 06:09
chirag-goel-sonarsource
chirag-goel-sonarsource reviewed Jul 1, 2025
View reviewed changes
Copy link
Copy Markdown

@chirag-goel-sonarsource chirag-goel-sonarsource left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chirag-goel-sonarsource chirag-goel-sonarsource chirag-goel-sonarsource left review comments

Copilot code review Copilot Copilot left review comments

@hedinasr hedinasr hedinasr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SamirM-BE @hedinasr @chirag-goel-sonarsource