chore(actions): update sonarsource/sonarqube-scan-action action to v6 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
sonarsource/sonarqube-scan-action	action	major	v5.0.0 → v6.0.0

GitHub Vulnerability Alerts

CVE-2025-58178

Impact

A command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without proper sanitization. Arguments sent to the action are treated as shell expressions, allowing potential execution of arbitrary commands.

Patches

A fix has been released in SonarQube Scan GitHub Action v5.3.1.

CVE-2025-59844

A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment.

Patches

The vulnerability has been fixed in version v6.0.0. Users should upgrade to this version or later.

Credits

Francois Lajeunesse-Robert (Boostsecurity.io)

References

• Community Post: https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281
• Fix release: https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0

---

Release Notes

sonarsource/sonarqube-scan-action (sonarsource/sonarqube-scan-action)

v6.0.0

Compare Source

BREAKING CHANGE!

In order to prevent command-line injection, the actions has been rewritten from Bash to JS, and the args input is now parsed differently. When updating to v6, you might have to update your workflow to change how arguments are quoted.
For example, if you were previously passing:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      -Dsonar.projectName="My Project"

you should now pass:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      "-Dsonar.projectName=My Project"

For more args passing examples, please refer to the README file

What's Changed

• SQSCANGHA-106 Migrate from Bash to JS by @​jeremy-davis-sonarsource in SonarSource#208

Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v6.0.0

v5.3.2

Compare Source

Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v5.3.2

v5.3.1

Compare Source

OVERLOOKED BREAKING CHANGE!

In order to prevent command-line injection, the way to parse the args input has been changed, but this is possibly a breaking change regarding support of quotes.

For example, if you were previously passing:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      -Dsonar.projectName="My Project"

you should now pass:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      "-Dsonar.projectName=My Project"

Edit: We have now released v6 that more accurately reflect this breaking change.

What's Changed

• SQSCANGHA-101 Add more input injection tests by @​aleksandra-bozhinoska-sonarsource in SonarSource#200

New Contributors

• @​daantimmer made their first contribution in SonarSource#199

Full Changelog: SonarSource/sonarqube-scan-action@v5...v5.3.1

v5.3.0

Compare Source

What's Changed

• SQSCANGHA-83 Avoid unbound variable error on parameter expansion by @​aleksandra-bozhinoska-sonarsource in SonarSource#192
• SQSCANGHA-97 Use /usr/bin/env for shebang by @​eliandoran in SonarSource#193
• SQSCANGHA-98 Update SonarScanner CLI to 7.2.0.5079 by @​github-actions[bot] in SonarSource#196

New Contributors

• @​eliandoran made their first contribution in SonarSource#193

Full Changelog: SonarSource/sonarqube-scan-action@v5.2.0...v5.3.0

v5.2.0

Compare Source

What's Changed

• SQSCANGHA-90 remove mend dead conf by @​pierre-guillot-gh in SonarSource#184
• SQSCANGHA-89 Attempt to fix command injection by @​henryju in SonarSource#186
• SQSCANGHA-93 Fix madhead/semver-utils' version by @​csaba-feher-sonarsource in SonarSource#187
• SQSCANGHA-94 Update version update logic by @​csaba-feher-sonarsource in SonarSource#188
• SQSCANGHA-92 Validate scanner version by @​csaba-feher-sonarsource in SonarSource#189

Full Changelog: SonarSource/sonarqube-scan-action@v5...v5.2.0

v5.1.0

Compare Source

What's Changed

• Update SonarScanner CLI to 7.1.0.4889 to support sonar.region=us by @​github-actions in SonarSource#183

Full Changelog: SonarSource/sonarqube-scan-action@v5.0.0...v5.1.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.