Skip to content

CI: generate Syft SBOM and import into Sonar SCA #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sylvain-combe-sonarsource wants to merge 9 commits into
base: 4.x
Choose a base branch
from

CI: auto-discover 3rdparty component versions

a644b09
Select commit
Loading
Failed to load commit list.
Open

CI: generate Syft SBOM and import into Sonar SCA #2

CI: auto-discover 3rdparty component versions
a644b09
Select commit
Loading
Failed to load commit list.
Sonar-Nautilus / SonarQube Code Analysis failed Jan 6, 2026 in 2h 28m 5s

Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube

Annotations

Check warning on line 20 in .github/workflows/sonar.yaml

See this annotation in the file changed.

@sonar-nautilus sonar-nautilus / SonarQube Code Analysis

Use full commit SHA hash for this dependency. 

[S7637] Using external GitHub actions and workflows without a commit reference is security-sensitive
 See more on https://nautilus.sonarqube.org/project/issues?id=SonarSource-Demos_opencv&pullRequest=2&issues=2ba0e298-a136-43c7-b753-fdcc16bae6e0&open=2ba0e298-a136-43c7-b753-fdcc16bae6e0

Check warning on line 45 in .github/workflows/sonar.yaml

See this annotation in the file changed.

@sonar-nautilus sonar-nautilus / SonarQube Code Analysis

Use full commit SHA hash for this dependency. 

[S7637] Using external GitHub actions and workflows without a commit reference is security-sensitive
 See more on https://nautilus.sonarqube.org/project/issues?id=SonarSource-Demos_opencv&pullRequest=2&issues=401ccf95-f1dc-4e5b-9bef-35eb0ef14a3c&open=401ccf95-f1dc-4e5b-9bef-35eb0ef14a3c
View more details on Sonar-Nautilus