APPSEC-618 Enabling SonarQube Source Code Scanning Capability

.github/assets/sonar-project.properties

@@ -0,0 +1,11 @@
+
+sonar.sources=.
+sonar.language=php
+sonar.exclusions=.github/**,**ci/**,**/*.sql,**/*.md,**/*.yml,**/*.xml,**/*.json,**/*.lock,**/*.dist
+sonar.projectKey=com.hellofresh:engine
+sonar.links.homepage=https://github.com/hellofresh/engine
+sonar.links.issue=https://github.com/hellofresh/engine/issues
+sonar.links.ci=https://github.com/hellofresh/engine/actions
+sonar.links.scm=https://github.com/hellofresh/engine.git
+sonar.scm.provider=git
+sonar.sourceEncoding=UTF-8

.github/workflows/code_scanning.yaml

@@ -0,0 +1,44 @@
+---
+name: "PR: Code Scanning"
+
+on: 
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  schedule:
+    - cron: '30 4 * * 6'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  analyze:
+    name: scanning
+    runs-on: [ self-hosted, default ]
+    timeout-minutes: 15
+    steps:
+      - name: Import Secrets
+        id: vault-secrets
+        uses: hellofresh/jetstream-ci-scripts/actions/vault@master
+        with:
+          shared-secrets: |
+            common/data/defaults GITHUB_TOKEN | GITHUB_TOKEN;
+            common/data/defaults SONAR_TOKEN | SONAR_TOKEN ;
+
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: SonarQube Scan
+        uses: hellofresh/jetstream-ci-scripts/actions/sonar-scanner@master
+        env:
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          SONAR_HOST_URL: "https://sonarqube.tools-k8s.hellofresh.io"
+        with:
+          args: >
+            -Dsonar.php.coverage.reportPaths=./coverage.xml
+            -Dproject.settings=./.github/assets/sonar-project.properties
+            -Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}