-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG Sonarcloud not detected consistently #4237
Comments
Currently, Scorecard only awards points for SAST run on a PR before merge, not after merge.
At one time you could pass Here is what Scorecard currently sees for HEAD, looking back 30 commits at the PRs they came from.
|
Thank you for the information @spencerschrock, I will try to locate what changed in our SonarCloud config that PRs are not analysed anymore. Could the information how to find unanalyzed PRs be added to the doc section about SAST? I found that very helpful. |
I have followed up on this and there was an issue with our SAST config/provider runs - the detections of scorecard were correct. Sorry for effort required to triage this |
No worries, I've made a note to make it easier to debug and document in a SAST/Code-Review troubleshooting steps |
Describe the bug
We have SonarCloud enabled on the repo for a long time now and got a full SAST score accordingly. Now the score is very low but we did not change anything in the settings.
Reproduction steps
Steps to reproduce the behavior:
Expected behavior
A full score as SonarCloud runs on every commit to master. Maybe also a better indication of which commits the tooling is missing / is detected to be missing.
Additional context
Latest scorecard run is here: https://github.com/inventree/InvenTree/actions/runs/9902504293/job/27356513547
The text was updated successfully, but these errors were encountered: