Does SonarQube or SonarCloud support scanning secrets (passwords, tokens, certificates, etc)?

Daniel_Clayton · March 26, 2019, 6:06pm

ganncamp · March 26, 2019, 7:43pm

Hi,

Maybe.

Could you be a little more explicit on what you’re looking for?

Ann

Daniel_Clayton · March 26, 2019, 8:00pm

Yes. We are looking for a service that will identify if code contains secrets (passwords, keys, certificates, etc) mainly as part of CI/CD. It needs to support multiple languages and be configurable for new rules.

Rebse · March 27, 2019, 7:19am

Hi,

there are already some rules for Credentials, look here https://yoursonarhost/coding_rules?q=Credentials

Regards,
Gilbert

Daniel_Clayton · March 27, 2019, 3:56pm

Awesome. Is that available in Sonar Cloud?

Rebse · March 28, 2019, 6:45am

Hi,

see available rules here = https://rules.sonarsource.com/

Regards,
Gilbert

Alexandre_Gigleux · April 1, 2019, 8:43pm

On SonarQube or SonarCloud, you can use the rule S2068.

As stated in the documentation, << it’s recommended to customize the configuration of this rule with additional credential words such as “oauthToken”, “secret”, … >> because by default the rule will look only for “password” strings.

yahanvesh · March 12, 2020, 2:21pm

Can we add custom regex patterns instead of exact string match. What is the best way to find AWS Secret Keys ?

sonarcode92923 · April 29, 2020, 7:15am

Hi,
nice, but how would you apply rules such as https://rules.sonarsource.com/java/RSPEC-2068 for JSON?

Currently I see 19 rules in our sq configuration for JSON, but none is checking for hard-coded passwords…

Kind regards