From 897dd14067415e8f681b0f2d70e23217088d151f Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 28 Apr 2026 01:44:55 +0000 Subject: [PATCH] chore(security): reinstate SonarCloud as required gate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Board reversal 2026-04-28: make SonarCloud Code Analysis a required check on `main`, alongside the existing `build · vet · test` gate. - Branch protection: SonarCloud Code Analysis added to required_status_checks via GitHub API. - CLAUDE.md: removed SonarCloud from "do not re-introduce" list, documented the reinstatement and that it runs as the SonarCloud GitHub App (not a workflow in this repo). - security.yml: updated stack-replacement comment to reflect Sonar is back externally even though it's not a job in this workflow. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/security.yml | 5 ++++- CLAUDE.md | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b9ca0bd..6547cd0 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,6 +1,9 @@ name: Security (OSS-CLI) # OSS-CLI security stack per RAN-53 AC #5 (mirrors codeiq RAN-46 path B). -# Replaces Sonar + CodeQL + OWASP Dependency-Check. +# Replaces CodeQL + OWASP Dependency-Check. SonarCloud was originally +# replaced too but was reinstated as a required external gate on +# 2026-04-28 (board reversal); it runs via the SonarCloud GitHub App, +# not as a job in this workflow. # # Six independent jobs — fail-fast off so all signals surface on a single run. # All actions SHA-pinned per Scorecard `Pinned-Dependencies`. Top-level diff --git a/CLAUDE.md b/CLAUDE.md index 958c0d3..04658c9 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -239,7 +239,7 @@ Failure-mode gauges (prefix `OtelContext_`): ## Security & Supply Chain -OtelContext targets the OpenSSF Best Practices `passing` badge (project [12646](https://www.bestpractices.dev/en/projects/12646)) and ships a six-job OSS-CLI security stack — no Sonar, no CodeQL, no NVD-direct tooling. Cost: $0. +OtelContext targets the OpenSSF Best Practices `passing` badge (project [12646](https://www.bestpractices.dev/en/projects/12646)) and ships a six-job OSS-CLI security stack, supplemented by **SonarCloud SAST as a required gate** (board reversal 2026-04-28). No CodeQL, no NVD-direct tooling. Cost: $0 for the OSS-CLI tier; SonarCloud is free for public repos. ### OSS-CLI security stack (`.github/workflows/security.yml`) @@ -255,7 +255,9 @@ OtelContext targets the OpenSSF Best Practices `passing` badge (project [12646]( All actions are SHA-pinned per Scorecard `Pinned-Dependencies`. Top-level `permissions: read-all`; jobs scope up only when needed (gitleaks needs full history; sbom uploads). -**Not used (do not re-introduce without an explicit board reversal):** SonarCloud / SonarQube, CodeQL (GHAS-paid for non-public repos), OWASP Dependency-Check (or any NVD-direct tool — NVD has analysis-backlog and rate-limit reliability problems). +**Required external gate:** SonarCloud Code Analysis. Runs as the SonarCloud GitHub App (no in-repo workflow); listed in `main` branch protection's `required_status_checks` since 2026-04-28. Reinstated by board reversal — earlier docs that said "do not re-introduce" are superseded. + +**Not used (do not re-introduce without an explicit board reversal):** CodeQL (GHAS-paid for non-public repos), OWASP Dependency-Check (or any NVD-direct tool — NVD has analysis-backlog and rate-limit reliability problems). ### OpenSSF Scorecard (`.github/workflows/scorecard.yml`)