Does SonarCloud Detect Secrets in .NET App Config Files?

Rules and Languages
1

I am currently evaluating SonarCloud for code security needs and have come across an issue I am hoping to clarify.

During my analysis of a .NET code repository, I noticed that SonarCloud does not seem to detect secrets or credentials within the app config file. This file often contain sensitive information such as database connection strings or API keys, I was expecting SonarCloud to flag them if any secrets were present.

Could anyone please confirm if:

  1. SonarCloud is able to detect secrets within these types of configuration files?
  2. There are any specific settings or configurations I need to apply in order to enable this detection?
  3. If this functionality is not currently supported, is it something that will be added in future releases?

I look forward any guidance on this matter.

3

Hey there.

This should happen out of the box. Can you provide an (obfuscated) example?

4

Thanks for your response! Below is the connection string I currently have in the app.config file of my codebase:

<connectionStrings> <add name="BlobXmlProcessingContext" connectionString="metadata=res://*/DbContext.BlobXmlProcessing.csdl|res://*/DbContext.BlobXmlProcessing.ssdl|res://*/DbContext.BlobXmlProcessing.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=local.database.windows.net;initial catalog=api-db;persist security info=True;user id=sa;password=Password1234!;encrypt=True;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" /> </connectionStrings>

I was hoping Sonar would flag the fact that my connection string contains a user ID and password, as these credentials should not be committed to the codebase.Sometimes developers may accidentally commit non-prod or prod secrets, so I want to avoid that risk.

5

Thanks @khushant-dhingra

I ran some tests and the detection seems to work when your example is included in a web.config file (a Security Hotspot is raised), but not in app.config files. :thinking:

I’ve flagged this for the team.

2 Likes
13

Hey @khushant-dhingra, thanks for your question!

After double-checking on my side, it looks like the problem is not how the file is called but the actual secret inside it.

password=Password1234! looks “too fake”, so our analyzer doesn’t raise an issue on it to avoid noise and false-positive fatigue. If you try with a more “real-looking” password like password=NkhAL5M26YAt, it should raise an issue in your code.

Let me know if it works!

Best,
Gabin