SQSCANGHA-102 Pin actions/cache to a full-length commit SHA (#199 )

SQSCANGHA-101 Add more command injection tests
SQSCANGHA-101 Fix sha256 check in QA Deprecated C/C++ action
2025-08-28 12:18:32 +02:00 · 2025-08-28 10:57:10 +02:00 · 2025-08-28 10:57:10 +02:00 · 2025-08-19 13:34:18 +02:00 · 2025-07-22 11:46:10 +02:00
10 changed files with 158 additions and 52 deletions
--- a/.github/workflows/qa-deprecated-c-cpp.yml
+++ b/.github/workflows/qa-deprecated-c-cpp.yml
@@ -31,7 +31,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

--- a/.github/workflows/qa-install-build-wrapper.yml
+++ b/.github/workflows/qa-install-build-wrapper.yml
@@ -31,7 +31,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@@ -16,7 +16,7 @@ jobs:
        os: [ ubuntu-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action without args
@@ -35,36 +35,38 @@ jobs:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
        uses: ./
        with:
-          args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
+          args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value'
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Assert
        run: |
          ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
-          ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
+          ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
+          ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
  argsInputInjectionTest:
    name: >
      'args' input with command injection will fail
    strategy:
      matrix:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
        uses: ./
        continue-on-error: true
        with:
-          args: -Dsonar.someArg=aValue && echo "Injection"
+          args: ${{ matrix.args }}
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
@@ -74,6 +76,91 @@ jobs:
      - name: Assert the scanner was not called
        run: |
          ./test/assertFileDoesntExist ./output.properties
+  backtickCommandInjectionTest:
+    name: >
+      'args' input with backticks injection does not execute command
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: >
+            -Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5="   `whoami`   " -Dsonar.arg6="test\`echo injection\`test"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert command in arg is not executed
+        run: |
+          ./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"'
+          ./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"'
+          ./test/assertFileContains ./output.properties 'sonar.arg3="`id`"'
+          ./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\""
+          ./test/assertFileContains ./output.properties 'sonar.arg5="   `whoami`   "'
+          ./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"'
+  dollarSymbolCommandInjectionTest:
+    name: >
+      'args' input with dollar command injection does not execute command
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "'
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert command in arg is not executed
+        run: |
+          ./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"'
+          ./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"'
+          ./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"'
+          ./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"'
+          ./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"'
+          ./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\'''
+  otherCommandInjectionVariantsTest:
+    name: >
+      'args' input with other command injection variants does not execute command
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert command in arg is not executed
+        run: |
+          ./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"'
+          ./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"'
+          ./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"'
+          ./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"'
+          ./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"'
+          ./test/assertFileContains ./output.properties 'sonar.arg6=""'
+          ./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"'
+          ./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"'
+          ./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"'
  projectBaseDirInputTest:
    name: >
      'projectBaseDir' input
@@ -82,7 +169,7 @@ jobs:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - run: mkdir -p ./baseDir
@@ -102,7 +189,7 @@ jobs:
      'scannerVersion' input
    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with scannerVersion
@@ -122,7 +209,7 @@ jobs:
      'scannerBinariesUrl' input with invalid URL
    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with scannerBinariesUrl
@@ -150,7 +237,7 @@ jobs:
      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with scannerBinariesUrl
@@ -171,7 +258,7 @@ jobs:
      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
@@ -200,7 +287,7 @@ jobs:
      Don't fail on Gradle project
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on Gradle project
@@ -221,7 +308,7 @@ jobs:
      Don't fail on Kotlin Gradle project
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on Kotlin Gradle project
@@ -242,7 +329,7 @@ jobs:
      Don't fail on Maven project
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on Maven project
@@ -275,7 +362,7 @@ jobs:
          --health-timeout 5s
          --health-retries 10
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on sample project
@@ -297,7 +384,7 @@ jobs:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with debug mode
@@ -328,7 +415,7 @@ jobs:
          --health-timeout 5s
          --health-retries 10
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: SonarQube Cache
@@ -356,7 +443,7 @@ jobs:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with SONARCLOUD_URL
@@ -374,7 +461,7 @@ jobs:
    name: Don't fail when missing wget but curl available
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
@@ -400,7 +487,7 @@ jobs:
    name: Don't fail when missing curl but wget available
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove curl
@@ -427,7 +514,7 @@ jobs:
    name: Fail when both wget and curl are missing
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget and curl
@@ -460,7 +547,7 @@ jobs:
      curl performs redirect when scannerBinariesUrl returns 3xx
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
@@ -495,7 +582,7 @@ jobs:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with SSL certificate
@@ -546,7 +633,7 @@ jobs:
      Analysis takes into account 'SONAR_ROOT_CERT'
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Generate server certificate
@@ -654,7 +741,7 @@ jobs:
      'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
@@ -688,7 +775,7 @@ jobs:
      truststore.p12 is updated when present
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
@@ -817,7 +904,7 @@ jobs:
      'scannerVersion' input validation
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with invalid scannerVersion
--- a/.github/workflows/qa-scripts.yml
+++ b/.github/workflows/qa-scripts.yml
@@ -12,7 +12,7 @@ jobs:
    name: create_install_path.sh
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

@@ -123,7 +123,7 @@ jobs:
      SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
      SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

@@ -252,7 +252,7 @@ jobs:
    name: download.sh
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

@@ -321,7 +321,7 @@ jobs:
    name: fetch_latest_version.sh
    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Test script
--- a/.github/workflows/update-tags.yml
+++ b/.github/workflows/update-tags.yml
@@ -13,7 +13,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Parse semver
        uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
--- a/.github/workflows/version_update.yml
+++ b/.github/workflows/version_update.yml
@@ -10,14 +10,12 @@ jobs:
    runs-on: ubuntu-latest-large
    outputs:
      should_update: ${{ steps.version-check.outputs.should_update }}
-      latest_version: ${{ steps.latest-version.outputs.latest }}
+      new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
    steps:
      - run: sudo apt install -y jq
-      - run: sudo snap install yq
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          ref: master
-          persist-credentials: true
          fetch-depth: 0

      - name: "Fetch currently used sonar-scanner version"
@@ -30,13 +28,13 @@ jobs:
        shell: bash
        run: |
          ./scripts/fetch_latest_version.sh > sonar-scanner-version
-          echo "latest=$(cat sonar-scanner-version)" >> $GITHUB_OUTPUT
+          cat sonar-scanner-version >> $GITHUB_OUTPUT

      - name: "Determine if update is needed"
        id: version-check
        shell: bash
        run: |
-          if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.latest }}" ]]; then
+          if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.sonar-scanner-version }}" ]]; then
            echo "should_update=true" >> $GITHUB_OUTPUT
          else
            echo "should_update=false" >> $GITHUB_OUTPUT
@@ -51,17 +49,24 @@ jobs:
      pull-requests: write
    if: needs.check-version.outputs.should_update == 'true'
    steps:
+      - uses: actions/checkout@v5
+        with:
+          ref: master
+          persist-credentials: true
+          fetch-depth: 0
+      - run: sudo snap install yq
      - name: "Update default version"
        shell: bash
        env:
-          NEW_VERSION: ${{ needs.check-version.outputs.latest-version }}
+          NEW_VERSION: ${{ needs.check-version.outputs.new-version }}
        run: |
-           yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
+          yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
+          ./scripts/fetch_latest_version.sh > sonar-scanner-version
      - name: "Create Pull Request for version update"
        shell: bash
        env:
-          UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.latest-version }}
-          TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.latest-version }}"
+          UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.new-version }}
+          TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.new-version }}"
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config --global user.name "SonarTech"
@@ -74,5 +79,5 @@ jobs:
          gh pr list

          if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
-            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
+            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic update of the sonar-scanner version value. Be sure to trigger the QA workflow by closing and reopening this PR (see https://github.com/orgs/community/discussions/65321)."
          fi
--- a/action.yml
+++ b/action.yml
@@ -33,7 +33,7 @@ runs:
        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
    - name: Load Sonar Scanner CLI from cache
      id: sonar-scanner-cli
-      uses: actions/cache@v4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
      env:
        # The default value is 60mins. Reaching timeout is treated the same as a cache miss.
        SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
@@ -51,11 +51,9 @@ runs:
      run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
      shell: bash
    - name: Run SonarScanner
-      run: |
-        args=(${{ inputs.args }})
-        cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
-        "${cmd[@]}"
+      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
      shell: bash
      env:
+        INPUT_ARGS: ${{ inputs.args }}
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
        SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre
--- a/scripts/download.sh
+++ b/scripts/download.sh
@@ -28,7 +28,7 @@ parse_arguments() {
 }

 verify_download_correctness() {
-  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
+  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c -
  check_status "Checking sha256 failed"
 }

--- a/scripts/run-sonar-scanner-cli.sh
+++ b/scripts/run-sonar-scanner-cli.sh
@@ -73,7 +73,17 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
 fi

-scanner_args+=("$@")
+# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
+args=()
+if [[ -n "${INPUT_ARGS}" ]]; then
+#  the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
+#  more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
+  IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
+fi
+
+for arg in "${args[@]}"; do
+  scanner_args+=("$arg")
+done

 set -ux

--- a/scripts/run-sonar-scanner.sh
+++ b/scripts/run-sonar-scanner.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# run the sonar scanner cli
+cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}")
+"${cmd[@]}"
Author	SHA1	Message	Date
Daan Timmer	1a6d90ebcb	SQSCANGHA-102 Pin actions/cache to a full-length commit SHA (#199 )	2025-08-28 12:18:32 +02:00
Aleksandra Bozhinoska	016cabf33a	SQSCANGHA-101 Add more command injection tests	2025-08-28 10:57:10 +02:00
Aleksandra Bozhinoska	5fc8cfce6b	SQSCANGHA-101 Fix sha256 check in QA Deprecated C/C++ action	2025-08-28 10:57:10 +02:00
dependabot[bot]	786af10ed4	NO-JIRA Bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2025-08-19 13:34:18 +02:00
Julien HENRY	01850e2590	SQSCANGHA-94 Fix the scanner-update workflow	2025-07-22 11:46:10 +02:00