BUILD-11394: Adds checking for manual setting of the SQ Project Key on check-sca

[bwalsh434]

What Changed?

• For the check-sca action, the action now checks the consumer repo's .github/check-sca.properties file for setting of the project-key
  • This allows repo owners with unconventional ways of setting their SQ project key to still make sure that the check-sca action can find their key

[sonarqubecloud]

Agentic Analysis: Early Results

Agentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action.

1 issue(s) found across 1 file(s):

Rule	File	Line	Message
shelldre:S1192	spec/check-sca_spec.sh	251	Define a constant instead of using the literal 'explicit-key' 4 times.

_{Analyzed by SonarQube Agentic Analysis in 2.7 s}

[sonar-review-alpha]

Summary

This PR adds support for discovering SonarQube project keys via a new .github/repo-metadata.yaml file, enabling repos that use SonarCloud Automatic Analysis or other non-standard setups to explicitly configure their project key for the check-sca action.

What changed:

• Added read_repo_metadata() helper to parse YAML metadata from the repo root
• Integrated metadata file into the project key discovery pipeline with high priority (second only to explicit PROJECT_KEY_INPUT)
• README updated with configuration instructions and example YAML structure
• Comprehensive test coverage for various edge cases (quoted values, file extensions, priority ordering, subdirectory handling)

What reviewers should know

Start here: Review the two new helper functions (parse_property_value() and read_repo_metadata()) in check-sca/check-sca.sh to understand the parsing logic. The YAML parsing uses sed to extract values under the check-sca section.

Key design decisions to verify:

• The metadata file is always read from the repo root ($GITHUB_WORKSPACE), not the working directory — this is correct for storing .github config files
• .yaml is preferred over .yml (checked with break after first match)
• Metadata discovery runs after explicit PROJECT_KEY_INPUT but before .sonarlint/connectedMode.json — a reasonable priority
• The YAML parser strips quotes from values and handles whitespace

Test coverage is thorough: The spec file includes cases for both file extensions, quoted values, missing sections, priority ordering, and reading from repo root when working in subdirectories. Pay attention to the "prefers .yaml over .yml when both exist" test to confirm precedence logic.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

BUILD-11394

[Copilot]

Pull request overview

Adds support in the check-sca GitHub Action for discovering a SonarQube/SonarCloud project key from a manually maintained repo file (.github/check-sca.properties), intended to help repositories that don’t have standard scanner config files.

Changes:

• Extend project-key discovery to read project-key=... from .github/check-sca.properties with high priority.
• Add ShellSpec coverage for the new discovery source and update existing priority-order expectations.
• Update README.md to document the new manual override file and discovery order.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
check-sca/check-sca.sh	Adds .github/check-sca.properties as a new discovery source and adjusts priority numbering.
spec/check-sca_spec.sh	Adds tests for reading/ignoring/prioritizing the new properties file; updates priority-order test.
README.md	Documents the new discovery source and provides instructions for creating .github/check-sca.properties.

Comments suppressed due to low confidence (1)

check-sca/check-sca.sh:54

• With set -euo pipefail, this grep | head | cut | tr pipeline returns a non-zero status when no project-key= line is present (or the file is malformed). That can cause discover_project_keys to exit early and skip all lower-priority sources, which contradicts the intended "ignore when malformed" behavior. Consider making the parse non-fatal (e.g., tolerate grep exit status) so missing/invalid lines don’t abort key discovery.

  if [[ -f "$checksca_props" ]]; then
    local key
    key=$(grep -E '^project-key=' "$checksca_props" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '[:space:]')
    if [[ -n "$key" ]]; then
      keys+=("$key")

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jayadeep-km-sonarsource]

Please check https://sonarsource.atlassian.net/browse/BUILD-11394?focusedCommentId=917983

pre-approving to unblock you

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

🗣️ Give feedback