Can't detect password in application.yaml or application.properties of a Java project

johnwang · March 21, 2025, 8:37pm

I attempted to detect passwords in src/main/resources/application.properties or src/main/resources/application.yaml or application.xml of a Java project using SonarQube maven plugin. I added Qualities Profile for Java and XML. The YAML Qualities Profile has no rules. The results of scanning is SonarQube can detect the hard coded passwords in the Java source code rather than application’s property files like .properties, .yaml, or .xml although I added them in sonar-project.properties. The output of SonarQube showed these files were bounded into the target but hard coded passwords were not detected at all. Did anyone successfully use SonarQube server or Cloud to find out hard coded passwords in Java application property files?

Thanks,

John

ganncamp · March 24, 2025, 4:09pm

Hi John,

Welcome to the community!

Given your project structure, I’m guessing you analyzed with SonarScanner for Maven, which doesn’t analyze resources by default. To broaden your analysis to include non-JVM-related files. you’ll need to use the scanAll option.

HTH,
Ann

Topic		Replies	Views
How to scan other project files for hard-coded secrets? SonarQube Cloud	6	69	April 10, 2025
Scanning and rules not being applicable on application.properties file of a java project Report False-positive / False-negative... java , scanner	3	608	February 18, 2025
Scanning java property files SonarQube Server / Community Build java , sonarqube , scanner , coverage	3	45	December 11, 2024
SonarQube not detecting authentication issues in HTML files SonarQube Server / Community Build html , java , sonarqube	5	1396	December 8, 2021
Hardcoded secrets in YAML not detected SonarQube Server / Community Build sonarqube , scanner , secrets , yaml	2	23	April 17, 2025

Can't detect password in application.yaml or application.properties of a Java project

Related topics