Adding a custom rule for secret scanning

I see that the Sonar cloud can be used as a secret scanner. I see that it has “Secrets” quality profile but there are only 60 built-in rules in that. I would like to know whether we can add our own custom regex based rules to the extended profile based on our own requirements? I found this two year old topic asking the same question: Secret scan expand SonarCloud where it said that it is not possible.

Has anything changed since then?


Hey there.

Defining a custom rule for secrets scanning is possible in the Enterprise Edition of SonarQube (just as of SonarQube v10.3. released this month), but not in SonarCloud yet. :confused: I’m hopeful for next year!


To add on top of what Colin said, I would like to bring some precisions.

All the 3 Sonar products are provided with 60 built-in rules and these rules cover 110+ secret patterns. We made the choice to group the related secrets under the same umbrella/rule to avoid creating too many rules with almost the same content.

Our Secret Detection Engine which was released this year is open-source. It means if the secrets you expect to detect are related to public services, you should feel comfortable to contribute and raise a PR to add the missing secret patterns. If the PR is accepted, your contribution will be added to the next release of our Secret Detection Engine.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.