Does SonarQube or SonarCloud support scanning secrets (passwords, tokens, certificates, etc)?

sonarqube
sonarcloud

(Daniel Clayton) #1

Does SonarQube or SonarCloud support scanning secrets (passwords, tokens, certificates, etc)?


(G Ann Campbell) #2

Hi,

Maybe. :wink:

Could you be a little more explicit on what you’re looking for?

 
Ann


(Daniel Clayton) #3

Yes. We are looking for a service that will identify if code contains secrets (passwords, keys, certificates, etc) mainly as part of CI/CD. It needs to support multiple languages and be configurable for new rules.


(Gilbert Rebhan) #5

Hi,

there are already some rules for Credentials, look here https://yoursonarhost/coding_rules?q=Credentials

Regards,
Gilbert


(Daniel Clayton) #6

Awesome. Is that available in Sonar Cloud?


(Gilbert Rebhan) #7

Hi,

see available rules here = https://rules.sonarsource.com/

Regards,
Gilbert


(Alexandre Gigleux) #8

On SonarQube or SonarCloud, you can use the rule S2068.

As stated in the documentation, << it’s recommended to customize the configuration of this rule with additional credential words such as “oauthToken”, “secret”, … >> because by default the rule will look only for “password” strings.