App.Config / Web.Config Scanning

Does anyone know of a way to include the web.config / app.config security flagging? For example, I intentionally created a web.config file with fake user names and passwords. I also included various connection strings, etc. We ran a scan and it said all of those were fine. How is that? Putting sensitive information like that in either web/app config files is not a good thing. Shouldn’t SonarCloud detect that? If not, how can I get it to flag those? We are new to SonarCloud so perhaps we’re missing something but I searched and couldn’t find anyone else who was experiencing this. Thanks for reading.

Hey there.

Today those files aren’t supported, but we plan to improve this. See this response here: