Does SonarQube or SonarCloud support scanning secrets (passwords, tokens, certificates, etc)?
Could you be a little more explicit on what you’re looking for?
Yes. We are looking for a service that will identify if code contains secrets (passwords, keys, certificates, etc) mainly as part of CI/CD. It needs to support multiple languages and be configurable for new rules.
there are already some rules for Credentials, look here https://yoursonarhost/coding_rules?q=Credentials
Awesome. Is that available in Sonar Cloud?
see available rules here = https://rules.sonarsource.com/
On SonarQube or SonarCloud, you can use the rule S2068.
As stated in the documentation, << it’s recommended to customize the configuration of this rule with additional credential words such as “oauthToken”, “secret”, … >> because by default the rule will look only for “password” strings.