fixed sonarcloud.yaml

[andrei-tyk]

Fixed sonarcloud to be able to get exclusions from the projects they are triggered from

[probelabs]

This PR fixes a bug in the sonarcloud.yaml reusable GitHub Actions workflow by correcting the syntax for accessing workflow inputs.

Files Changed Analysis

• .github/workflows/sonarcloud.yaml: A single line was modified to change ${{ github.event.inputs.exclusions }} to ${{ inputs.exclusions }}. This is a simple but critical fix for how the workflow receives parameters.

Architecture & Impact Assessment

• What this PR accomplishes: It restores the intended functionality of the exclusions input, allowing other workflows that call this reusable workflow to correctly specify files and directories to be ignored by SonarCloud scans.
• Key technical changes: The change corrects the expression for accessing inputs in a reusable workflow (workflow_call). The previous syntax (github.event.inputs) is used for manually triggered workflows (workflow_dispatch), while the new syntax (inputs) is correct for reusable ones.
• Affected system components: This change affects the CI/CD pipeline, specifically the SonarCloud integration. Any repository utilizing this shared workflow will now have its scan exclusions processed correctly, leading to more accurate code quality and security reports.

Scope Discovery & Context Expansion

The change is confined to the GitHub Actions workflow definition. The investigation confirmed this is a reusable workflow intended to be called by other repositories' CI pipelines. The fix ensures that the contract (inputs) defined by this reusable workflow is correctly implemented, preventing unintended files from being scanned by SonarCloud across all consumer projects.

Metadata

• Review Effort: 1 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-03-26T14:17:37.538Z | Triggered by: pr_opened | Commit: dbc054d

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (1)

Severity	Location	Issue
🔴 Critical	.github/workflows/sonarcloud.yaml:37	The workflow input `inputs.exclusions` is directly substituted into the `args` for the SonarCloud action. The SonarSource action executes these arguments in a shell context without proper quoting, which can allow an attacker to inject arbitrary shell commands. If this reusable workflow is triggered by a pull request from a fork, a malicious actor could provide a crafted `exclusions` value to execute code on the runner, potentially leading to secret exfiltration (e.g., GITHUB_TOKEN, SONAR_TOKEN). 💡 Suggestion Add a step before the 'SonarCloud Scan' step to validate and sanitize the `inputs.exclusions`. The validation should ensure that the input only contains characters that are safe for file paths and patterns, and disallow shell metacharacters like ';', '$', '(', ')', '`', '|', '&'. Example validation step: - name: Validate exclusions input run: | if [[ "${{ inputs.exclusions }}" =~ [^a-zA-Z0-9,.*/_-] ]]; then echo "Error: Invalid characters found in 'exclusions' input." exit 1 fi This step should be placed before the 'SonarCloud Scan' step.

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2026-03-26T14:17:35.968Z | Triggered by: pr_opened | Commit: dbc054d

💡 TIP: You can chat with Visor using /visor ask <your question>