SQSCANGHA-149 Add scannerBinariesAuthHeader input

[henryju]

Organisations using private Artifactory mirrors require authentication to download the SonarScanner CLI. This adds an optional scannerBinariesAuthHeader input whose value is forwarded as the Authorization HTTP header to both the binary and GPG signature downloads via tc.downloadTool's built-in auth parameter. No new dependencies are introduced.

Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum "Suggest new features".

With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:

• Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make
• Make sure any code you changed is covered by tests
• If there is a JIRA ticket available, please make your commits and pull request start with the ticket ID (SONAR-XXXX)

We will try to give you feedback on your contribution as quickly as possible.

Thank You!
The SonarSource Team

[sonarqubecloud]

Agentic Analysis: Early Results

Agentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action.

7 issue(s) found across 1 file(s):

Rule	File	Line	Message
javascript:S5443	src/main/__tests__/install-sonar-scanner.test.js	52	Make sure publicly writable directories are used safely here.
javascript:S5443	src/main/__tests__/install-sonar-scanner.test.js	53	Make sure publicly writable directories are used safely here.
javascript:S5443	src/main/__tests__/install-sonar-scanner.test.js	100	Make sure publicly writable directories are used safely here.
javascript:S5443	src/main/__tests__/install-sonar-scanner.test.js	101	Make sure publicly writable directories are used safely here.
javascript:S5443	src/main/__tests__/install-sonar-scanner.test.js	146	Make sure publicly writable directories are used safely here.
javascript:S5443	src/main/__tests__/install-sonar-scanner.test.js	147	Make sure publicly writable directories are used safely here.
javascript:S5443	src/main/__tests__/install-sonar-scanner.test.js	181	Make sure publicly writable directories are used safely here.

_{Analyzed by SonarQube Agentic Analysis in 4.1 s}

[hashicorp-vault-sonar-prod]

SQSCANGHA-149

[henryju]

FV:

      - name: Run SonarQube analysis
        uses: SonarSource/sonarqube-scan-action@jh/SQSCANGHA-149_custom_binaries_auth
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            -Dsonar.organization=henryju
            -Dsonar.projectKey=henryju_sonar_scanner_npm
          scannerBinariesUrl: https://jhenry.ngrok.app

      - name: Run SonarQube analysis
        uses: SonarSource/sonarqube-scan-action@jh/SQSCANGHA-149_custom_binaries_auth
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            -Dsonar.organization=henryju
            -Dsonar.projectKey=henryju_sonar_scanner_npm
          scannerBinariesUrl: https://jhenry.ngrok.app
          scannerBinariesAuthHeader: "Basic dXNlcjpwYXNz" # Don't do that in prod, use a secret variable

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[jerome-chetelat-sonarsource]

Code and FV looking good to me!

[gitar-bot]

Code Review ✅ Approved 2 resolved / 2 findings

Adds the scannerBinariesAuthHeader input to enable authenticated downloads of scanner binaries. The auth header is now masked using core.setSecret() to resolve potential security exposure.

✅ 2 resolved

✅ Security: Auth header not masked with core.setSecret()

📄 src/main/index.js:36
The scannerBinariesAuthHeader input contains a sensitive credential (e.g. Bearer <token>) but is never registered with core.setSecret(). If any downstream code (including @actions/tool-cache internals in debug mode, or future logging) prints this value, it will appear in plain text in workflow logs.

GitHub Actions only auto-masks values retrieved via core.getInput() if they were defined as secrets at the workflow level, but the action itself should defensively mask the value to prevent accidental exposure regardless of how the user passes it.

✅ Security: Auth header may leak to default public binaries server

📄 src/main/index.js:36-39
When scannerBinariesAuthHeader is provided but scannerBinariesUrl is left at its default (https://binaries.sonarsource.com/...), the authorization header will be sent to the public SonarSource server. This is likely a misconfiguration, but the action could guard against it by warning or skipping the auth header when the URL is the default.

Consider adding a warning in getInputs() or in installSonarScanner() when scannerBinariesAuthHeader is set but scannerBinariesUrl is still the default value.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}