Skip to content

fix(ci): resolve SonarQube security issues in workflows and Dockerfile#625

Merged
olivermeyer merged 2 commits into
mainfrom
fix/sonarqube
May 6, 2026
Merged

fix(ci): resolve SonarQube security issues in workflows and Dockerfile#625
olivermeyer merged 2 commits into
mainfrom
fix/sonarqube

Conversation

@olivermeyer

@olivermeyer olivermeyer commented May 5, 2026

Copy link
Copy Markdown
Collaborator

Why?
SonarQube flagged two Medium/Major security issues across CI workflows and the Dockerfile: uv sync without --no-build (allowing potential build-script execution from source distributions) and uv run without --frozen (potentially allowing silent environment updates before running a command).

How?
Dockerfile stages that use --no-install-project install only external dependencies, so --no-build can safely enforce wheel-only installs there. The remaining uv sync issues (workflow files and Dockerfile stages that install aignostics itself) are marked as accepted in SonarQube — aignostics must be built from source as no pre-built binary distribution exists. All uv run calls in workflow files gain --frozen, making the lockfile invariant explicit at every invocation.

External-deps-only stages (--no-install-project) can safely enforce
wheel-only installs. Stages that install the local project annotated
with NOSONAR since the local build is trusted source code and --frozen
already enforces lockfile hash verification.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 5, 2026 09:31
@olivermeyer olivermeyer added the skip:test:long_running Skip long-running tests (≥5min) label May 5, 2026

This comment was marked as outdated.

Makes the lockfile invariant explicit on every uv run call that follows
uv sync --frozen, preventing any inadvertent environment update and
resolving the SonarQube "unlocked dependency" warnings.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented May 5, 2026

Copy link
Copy Markdown

@codecov

codecov Bot commented May 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 21 files with indirect coverage changes

@olivermeyer olivermeyer merged commit 88612d4 into main May 6, 2026
28 of 29 checks passed
@olivermeyer olivermeyer deleted the fix/sonarqube branch May 6, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants