Doubt about not detected hotspot in web.config about hardcoded credentials

Hello there,
as you mentioned, in the analysis performed with the MsBuildScanner, the rule raising the issue belongs to the .NET analyzer, while in the sonar-scanner-cli case it’s the SonarXML analyzer that is checking that file, and apparently fails to spot the issue.

I think it’s a false negative, but I am not sure I got the correct reproducer, on my end I am trying with something like this

<configuration>
  <appSettings>
    <add key="somekey" value="Password={ConnectionCredentials.Password}" />
  </appSettings>
</configuration>

Does this example resemble your use case?