Connection String and Notifications SonarCloud

  • ALM used: Azure DevOps
  • CI system used: Azure DevOps
  • Languages of the repository: Spanish
  • Error observed:
    I have a C# project in which one of the developers uploaded the burned connection string directly into the appsettings file as follows:
    “ConnectionStrings”: {
    “Connection”: “,1433;Initial Catalog=Conect;Persist Security Info=False;User ID=example;Password=123456;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False ;ConnectionTimeout=30;”
    “pers”: “”
    My question is why the SonarCloud analysis is not detecting this problem, the rule is activated and has always worked well, however this security point has not been detected by SonarCloud, is there a reason for this problem?

My second question is if SonarCloud has the option to notify the administrator when a quality gate fails in a general way in any of the projects of the organization
I know that it can be configured within each project, but I would like to do it in a general way for everyone, is this possible?


SonarCloud has (almost) no analyzer to detect problem in JSON files. We can analyze CloudFormation files provided as JSON files but that’s the only exception.

I’ve got the feeling that when you talk about “appsettings” it’s actually about “appsettings.json” file and so there is no way SonarCloud can detect something on it today.

Can you clarify what you mean by “the rule is activated”? Which rule?


PS: it’s better to create another thread for your notification question, so that the two questions can be handled by different persons

1 Like

Erratum: I forgot that we did that in 2021 to support the case of appsettings.json for the C# rules S2115 => it should work and detect your hard-coded password.

After more investigations, S2115 will only raised if the “Password” property is empty.
I created #5427 to have the rule S2068 covering the case of appsettings.json files.