Must-share information (formatted with Markdown):
can SonarQube be able to do Security check for sensitive data stored eg password as plain text in xml files
Welcome 
use https://yoursonarinstance/coding_rules for searching rules available in a running Sonarqube instance.
Otherwise use https://rules.sonarsource.com/ if you have no Sonarqube instance (yet) and need to know which rules are available overall.
There is a rule “Credentials should not be hardcoded” available for several languages, but not
for xml AFAIK.
Gilbert
Hi Gilbert,
Is this rule specific to some SQ version,as i cant find this rule in my version Version 6.7.7 (build 38951).
BR//
Rohit
Hi,
the rules are provided by the language plugins, e.g. Sonar Java which is also contained in
Sonarqube Community Edition.
This rule is available for quite some time afaik.
Did you search like that ? https://yoursonarinstanfe/coding_rules?q=credentials
As already written in the answer to your other posting you should update your Sonarqube version ASAP.
A current Sonarqube version is also able to run recent versions of the language scanners.
Gilbert
Hi Gilbert,
I checked this rule but its scanning buy a word password,in actual how will we come to know that password is present or not in a code.
for eg in this code :–
public final static String PASSWORD_PROMPT_START = “passwordPromptStart”;
it will say password detected but actual password is not present.
BR//
Rohit
Also is there any options to include .tpl files(template files),i can see in my scan its not scanning some of
my files.
BR//
Rohit
Hi @rohit_jalal
You should upgrade your SonarQube version as soon as possible.
You will benefit from the lastest improvements of the “hardcoded password rule”.
This rule is not able to find hardcoded secrets in xml files at this time but we are working on it.
Eric
Thanks!! Eric.
