Hello!
We have been using Sonarcloud for quite a while and in most cases it works great! I recently stumbled upon an issue I can’t figure out. I tried to search here in the community and on google without luck.
We have a Django-application and we are using Sonarcloud in our Github CI. We have the following line in our settings.py:
SECRET_KEY = env.str("SECRET_KEY")
The SECRET_KEY is an important variable that needs to be set. In this case we use django-environ
to read out this value from an environment variable. However, I get an error in Sonarcloud regarding this line:
Make sure this Django key gets revoked, changed, and removed from the code. (secrets:S6652)
Looking at the “How can I fix it?” it seems like a false positive. It seems to think I have a secret key as a string in my code, as this is an example:
The problem is that I already have a Python equivalent to the Compliant solution. We haven’t had this issue before, we haven’t had any changes in this part of the code for several years, but it just now started raising this error and blocking our CI-flows.
How can I fix this? I have tried with adding the NOSONAR-comment, but it doesn’t do anything:
SECRET_KEY = env.str("SECRET_KEY") # NOSONAR
Thanks in advance!
Robert