Django Secret Key from .env-file raising secrets:S6652


We have been using Sonarcloud for quite a while and in most cases it works great! I recently stumbled upon an issue I can’t figure out. I tried to search here in the community and on google without luck.

We have a Django-application and we are using Sonarcloud in our Github CI. We have the following line in our


The SECRET_KEY is an important variable that needs to be set. In this case we use django-environ to read out this value from an environment variable. However, I get an error in Sonarcloud regarding this line:

Make sure this Django key gets revoked, changed, and removed from the code. (secrets:S6652)

Looking at the “How can I fix it?” it seems like a false positive. It seems to think I have a secret key as a string in my code, as this is an example:

The problem is that I already have a Python equivalent to the Compliant solution. We haven’t had this issue before, we haven’t had any changes in this part of the code for several years, but it just now started raising this error and blocking our CI-flows.

How can I fix this? I have tried with adding the NOSONAR-comment, but it doesn’t do anything:


Thanks in advance!

Hello Robert,

Thanks for raising this issue! It is a new rule, thus it did not show up before. It is part of an additional approach to detect hard-coded secrets using regular expressions:

We will fix this of course but it will take a bit of time. Maybe you can just review it as a “false positive” for now, so that your build pipe does not fail?

Hello Hendrik,

Ok, that should work. Thanks for your answer!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.