Ignore Sonar tag-plus-digest Docker warnings#27220
Merged
Merged
Conversation
ref #27144 SonarCloud is blocking Renovate's pin-dependencies PRs on rule docker:S8431, which warns when Docker image references include both a tag and a digest. Renovate intentionally uses tag@digest for Docker pinning so the image stays human-readable while still being immutable. Suppress that rule for Dockerfiles so Renovate's pinned image format no longer blocks dependency PRs.
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
WalkthroughAdds a 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
sonar-project.properties (1)
1-3: Consider adding a documentation comment.To help future maintainers understand why this rule is suppressed, consider adding a comment above the configuration explaining the rationale (Renovate's intentional use of
tag@digestformat for security).📝 Suggested documentation comment
+# Suppress docker:S8431 (tag+digest warning) for Renovate's pin-dependencies PRs. +# Renovate intentionally uses tag@digest format (e.g., node:14@sha256:...) to +# provide both human-readable tags and immutable digest references. sonar.issue.ignore.multicriteria=e1 sonar.issue.ignore.multicriteria.e1.ruleKey=docker:S8431 sonar.issue.ignore.multicriteria.e1.resourceKey=**/Dockerfile*🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@sonar-project.properties` around lines 1 - 3, Add a brief documentation comment above the sonar.ignore block to explain why docker:S8431 is suppressed for **/Dockerfile* (e.g., Renovate intentionally pins images with tag@digest for supply-chain security), referencing the sonar keys used (sonar.issue.ignore.multicriteria, sonar.issue.ignore.multicriteria.e1.ruleKey=docker:S8431 and sonar.issue.ignore.multicriteria.e1.resourceKey=**/Dockerfile*) so future maintainers understand the rationale.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@sonar-project.properties`:
- Around line 1-3: Add a brief documentation comment above the sonar.ignore
block to explain why docker:S8431 is suppressed for **/Dockerfile* (e.g.,
Renovate intentionally pins images with tag@digest for supply-chain security),
referencing the sonar keys used (sonar.issue.ignore.multicriteria,
sonar.issue.ignore.multicriteria.e1.ruleKey=docker:S8431 and
sonar.issue.ignore.multicriteria.e1.resourceKey=**/Dockerfile*) so future
maintainers understand the rationale.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: d47d660b-6714-4c6b-bb34-872aefb00f9d
📒 Files selected for processing (1)
sonar-project.properties
ref #27220 CodeRabbit asked for a comment explaining why this Sonar ignore exists. Add a block comment describing the Renovate/SonarCloud conflict and why we are suppressing docker:S8431 at the repo level rather than stripping tags from pinned image refs.
Updated comments to clarify the purpose of ignoring SonarCloud warnings for Docker image tags.
|
franky19
pushed a commit
to franky19/Ghost
that referenced
this pull request
Apr 18, 2026
Preferring renovates default behaviour and squashing the maintainability warning from Sonar, as having renovate able to maintain these updates for us without noise is better/more maintainable for us in the long run.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docker:S8431tag@sha256:digestWhy this change
SonarCloud is currently blocking Renovate's
pin-dependenciesPRs on ruledocker:S8431(Use either the version tag or the digest for the image instead of both). Renovate intentionally preserves the human-readable tag while pinning the immutable digest for Docker updates, so this warning is tooling disagreement rather than a real problem for Ghost.This change takes the repo-side suppression approach so Renovate's default Docker pinning format can continue to work without repeatedly blocking dependency PRs.