I see that the Sonar cloud can be used as a secret scanner. I see that it has “Secrets” quality profile but there are only 60 built-in rules in that. I would like to know whether we can add our own custom regex based rules to the extended profile based on our own requirements? I found this two year old topic asking the same question: Secret scan expand SonarCloud where it said that it is not possible.
Has anything changed since then?
Defining a custom rule for secrets scanning is possible in the Enterprise Edition of SonarQube (just as of SonarQube v10.3. released this month), but not in SonarCloud yet. I’m hopeful for next year!
To add on top of what Colin said, I would like to bring some precisions.
All the 3 Sonar products are provided with 60 built-in rules and these rules cover 110+ secret patterns. We made the choice to group the related secrets under the same umbrella/rule to avoid creating too many rules with almost the same content.
Our Secret Detection Engine which was released this year is open-source. It means if the secrets you expect to detect are related to public services, you should feel comfortable to contribute and raise a PR to add the missing secret patterns. If the PR is accepted, your contribution will be added to the next release of our Secret Detection Engine.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.