LCS-867 Review sonarqube vulnerabilities in github pipelines part2#461
Merged
mrlockstar merged 4 commits intomainfrom May 8, 2026
Merged
Conversation
mrlockstar
force-pushed
the
LCS-867-Review-sonarqube-vulnerabilities-in-github-pipelines-part2
branch
from
301ccc0 to
82e952d
Compare
|
The review app is available at this URL: |
mrlockstar
changed the title
mrlockstar
changed the title
mrlockstar
force-pushed
the
LCS-867-Review-sonarqube-vulnerabilities-in-github-pipelines-part2
branch
from
d0699c5 to
8a02edd
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
mrlockstar
force-pushed
the
LCS-867-Review-sonarqube-vulnerabilities-in-github-pipelines-part2
branch
from
d1d8636 to
c7abfe4
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR is a second pass at addressing SonarQube findings by reducing secret exposure in reusable GitHub Actions workflows, refactoring a composite action’s environment handling, and re-enabling a previously broken “500 error” alert in Terraform.
Changes:
- Replaced
secrets: inheritwith explicit secret mappings / declared required secrets for reusable workflows. - Re-enabled and updated the scheduled query alert Terraform resource for error detection.
- Refactored the CLOC report composite action to pass values via
env:instead of inline exports.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
infrastructure/modules/container-apps/alerts.tf |
Re-enabled the scheduled query alert resource and updated scopes/query. |
.github/workflows/stage-5-deploy.yaml |
Declared required Azure secrets for the reusable deploy workflow. |
.github/workflows/stage-2-test.yaml |
Declared required SONAR_TOKEN secret for the reusable test workflow. |
.github/workflows/stage-1-commit.yaml |
Declared required AWS report-upload secrets for the reusable commit workflow. |
.github/workflows/cicd-2-main-branch.yaml |
Replaced inherited secrets with explicit secret mapping (currently mismatched for commit stage). |
.github/workflows/cicd-1-pull-request.yaml |
Replaced inherited secrets with explicit secret mapping. |
.github/actions/create-lines-of-code-report/action.yaml |
Refactored env handling and adjusted S3 upload destination construction. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mrlockstar
force-pushed
the
LCS-867-Review-sonarqube-vulnerabilities-in-github-pipelines-part2
branch
from
be333e6 to
ac7fc67
Compare
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Alastair Lock <alastair.lock@gmail.com>
mrlockstar
force-pushed
the
LCS-867-Review-sonarqube-vulnerabilities-in-github-pipelines-part2
branch
from
ac7fc67 to
9027567
Compare
|
stephhou
approved these changes
May 8, 2026
mrlockstar
deleted the
LCS-867-Review-sonarqube-vulnerabilities-in-github-pipelines-part2
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the change?
This PR implements several improvements based on SonarQube recommendations, including security fixes, code reliability enhancements, and general refactoring for better reusability.
Although the original scope was focused on security, it made sense to address related quality improvements at the same time.
Please note that this will not resolve all the issues; its more a second pass at fixing them. More PRs will follow.
I have also included the 500 error alert into this PR as it was previously broken.
Why are we making this change?
To ensure the repository can remain public while adhering to SonarQube best practices, particularly around security, maintainability, and code quality.