Hello there,
as you mentioned, in the analysis performed with the MsBuildScanner, the rule raising the issue belongs to the .NET analyzer, while in the sonar-scanner-cli case it’s the SonarXML analyzer that is checking that file, and apparently fails to spot the issue.
I think it’s a false negative, but I am not sure I got the correct reproducer, on my end I am trying with something like this
<configuration>
<appSettings>
<add key="somekey" value="Password={ConnectionCredentials.Password}" />
</appSettings>
</configuration>
Does this example resemble your use case?