Skip to content

fix(ci): resolve SonarQube security issues in workflows and Dockerfile#625

Open
olivermeyer wants to merge 2 commits intomainfrom
fix/sonarqube
Open

fix(ci): resolve SonarQube security issues in workflows and Dockerfile#625
olivermeyer wants to merge 2 commits intomainfrom
fix/sonarqube

Conversation

@olivermeyer
Copy link
Copy Markdown
Collaborator

@olivermeyer olivermeyer commented May 5, 2026
edited
Loading

Why?
SonarQube flagged two Medium/Major security issues across CI workflows and the Dockerfile: uv sync without --no-build (allowing potential build-script execution from source distributions) and uv run without --frozen (potentially allowing silent environment updates before running a command).

How?
Dockerfile stages that use --no-install-project install only external dependencies, so --no-build can safely enforce wheel-only installs there. The remaining uv sync issues (workflow files and Dockerfile stages that install aignostics itself) are marked as accepted in SonarQube — aignostics must be built from source as no pre-built binary distribution exists. All uv run calls in workflow files gain --frozen, making the lockfile invariant explicit at every invocation.

@olivermeyer @claude
fix(docker): add --no-build to uv sync --no-install-project stages
2558bdf 
External-deps-only stages (--no-install-project) can safely enforce
wheel-only installs. Stages that install the local project annotated
with NOSONAR since the local build is trusted source code and --frozen
already enforces lockfile hash verification.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 5, 2026 09:31
@olivermeyer olivermeyer added the skip:test:long_running Skip long-running tests (≥5min) label May 5, 2026

This comment was marked as outdated.

Sign in to view

@olivermeyer @claude
fix(ci): add --frozen to uv run commands in CI workflows
12dd307 
Makes the lockfile invariant explicit on every uv run call that follows
uv sync --frozen, preventing any inadvertent environment update and
resolving the SonarQube "unlocked dependency" warnings.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link
Copy Markdown

codecov Bot commented May 5, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 21 files with indirect coverage changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@olivermeyer