Skip to content

[Cloud-native AI] sonarqube scan fails on Openshift variation #282

New issue
New issue
Open
Open
[Cloud-native AI] sonarqube scan fails on Openshift variation#282
Labels
internal-synced
@ocofaigh

Description

@ocofaigh
ocofaigh
opened on Dec 4, 2025

After deploying the Standard with sample application (Deploy on Red Hat OpenShift) variation with prefix value of dev-9rmy and checking the logs of the CI-Toolchain rag-webhook-trigger run, the following error was seen in the build artifact stage:

4 Dec, 13:14:54 Details of evidence collected:
4 Dec, 13:14:54 ┌─────────────────┬─────────────────────────────────────────────────────────────────────────────┐
4 Dec, 13:14:54 │ Attribute       │ Value                                                                       │
4 Dec, 13:14:54 ├─────────────────┼─────────────────────────────────────────────────────────────────────────────┤
4 Dec, 13:14:54 │ Status          │ failure                                                                     │
4 Dec, 13:14:54 ├─────────────────┼─────────────────────────────────────────────────────────────────────────────┤
4 Dec, 13:14:54 │ Tool Type       │ sonarqube                                                                   │
4 Dec, 13:14:54 ├─────────────────┼─────────────────────────────────────────────────────────────────────────────┤
4 Dec, 13:14:54 │ Evidence ID     │ 831b570983b7b65ca27ff6637a8eeb1ef38e2e618527a80333106fb363a46b2a            │
4 Dec, 13:14:54 ├─────────────────┼─────────────────────────────────────────────────────────────────────────────┤
4 Dec, 13:14:54 │ Evidence Type   │ com.ibm.static_scan                                                         │
4 Dec, 13:14:54 ├─────────────────┼─────────────────────────────────────────────────────────────────────────────┤
4 Dec, 13:14:54 │ Issues          │                                                                             │
4 Dec, 13:14:54 │                 │ https://us-south.git.cloud.ibm.com/OCOFAIGH/dev-9rmy-issues-repo/-/issues/1 │
4 Dec, 13:14:54 ├─────────────────┼─────────────────────────────────────────────────────────────────────────────┤
4 Dec, 13:14:54 │ Attachment URLs │                                                                             │
4 Dec, 13:14:54 │                 │                                                                             │
4 Dec, 13:14:54 └─────────────────┴─────────────────────────────────────────────────────────────────────────────┘

The details from the issue that was created show:

[
  {
    "message": "Bind this Service Account to RBAC or disable \"automountServiceAccountToken\".",
    "componentName": "dev-9rmy-app-repo-compliance-check:deployment_os.yml",
    "timeStamp": {
      "creationDate": "2024-08-26T12:48:45+0000",
      "updateDate": "2025-12-04T13:13:52+0000"
    },
    "textRange": {
      "startLine": 45,
      "endLine": 45,
      "startOffset": 26,
      "endOffset": 50
    }
  }
]

and

[
  {
    "message": "Bind this Service Account to RBAC or disable \"automountServiceAccountToken\".",
    "componentName": "dev-9rmy-app-repo-compliance-check:deployment_os.yml",
    "timeStamp": {
      "creationDate": "2024-08-26T12:48:45+0000",
      "updateDate": "2025-12-04T13:34:51+0000"
    },
    "textRange": {
      "startLine": 45,
      "endLine": 45,
      "startOffset": 26,
      "endOffset": 50
    }
  }
]

Can we investigate with the goal of getting these to pass the scan?

Metadata

Metadata

Assignees

No one assigned

    Labels

    internal-synced

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions