BUG Sonarcloud not detected consistently

[matmair]

Describe the bug
We have SonarCloud enabled on the repo for a long time now and got a full SAST score accordingly. Now the score is very low but we did not change anything in the settings.

Reproduction steps
Steps to reproduce the behavior:

1. Enable SonarCloud
2. Wait a few months
3. Get full score
4. Wait more?
5. Get low score

Expected behavior
A full score as SonarCloud runs on every commit to master. Maybe also a better indication of which commits the tooling is missing / is detected to be missing.

Additional context
Latest scorecard run is here: https://github.com/inventree/InvenTree/actions/runs/9902504293/job/27356513547

[spencerschrock]

A full score as SonarCloud runs on every commit to master

Currently, Scorecard only awards points for SAST run on a PR before merge, not after merge.

Maybe also a better indication of which commits the tooling is missing / is detected to be missing.

At one time you could pass --show-details and --verbosity debug to see this, but I believe this was lost in the transition.

Here is what Scorecard currently sees for HEAD, looking back 30 commits at the PRs they came from.

PR:  7640  checked:  false
PR:  6772  checked:  false
PR:  7585  checked:  false
PR:  7630  checked:  false
PR:  7629  checked:  false
PR:  7626  checked:  false
PR:  7625  checked:  false
PR:  7620  checked:  false
PR:  7611  checked:  false
PR:  7614  checked:  false
PR:  7617  checked:  false
PR:  7619  checked:  false
PR:  7618  checked:  false
PR:  7616  checked:  false
PR:  7610  checked:  false
PR:  7609  checked:  false
PR:  7598  checked:  false
PR:  7596  checked:  true
PR:  7601  checked:  false
PR:  7599  checked:  false
PR:  7540  checked:  true
PR:  7595  checked:  false
PR:  7591  checked:  false
PR:  7590  checked:  true
PR:  7581  checked:  false
PR:  7584  checked:  false
PR:  7587  checked:  false
PR:  7588  checked:  true
PR:  7589  checked:  false
PR:  7586  checked:  false

[matmair]

Thank you for the information @spencerschrock, I will try to locate what changed in our SonarCloud config that PRs are not analysed anymore. Could the information how to find unanalyzed PRs be added to the doc section about SAST? I found that very helpful.

[matmair]

I have followed up on this and there was an issue with our SAST config/provider runs - the detections of scorecard were correct. Sorry for effort required to triage this

[spencerschrock]

I have followed up on this and there was an issue with our SAST config/provider runs - the detections of scorecard were correct. Sorry for effort required to triage this

No worries, I've made a note to make it easier to debug and document in a SAST/Code-Review troubleshooting steps