.env file is not analyzed for secrets in SonarQube Server 25.1

I am currently using SonarQube Server Community Edition v25.1.0.102122 with Jenkins and the sonar-scanner CLI.

I have a .env file in the project root, and it is properly tracked by git. I enabled secrets-related rules and configured the scanner with -Dsonar.sources=. and -Dsonar.text.inclusions=.env. I also tested with a known detectable value such as AWS_SECRET_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE.

However, the .env file does not seem to be analyzed at all. It does not appear in the indexed files, is not visible in the UI, and no secrets are detected from it.

I reviewed the official documentation and related community posts, including:

Based on this, I understood that dotfiles such as .env should be supported, but I might be missing something.

Could you please clarify whether secret detection for .env files is fully supported in SonarQube Server 25.1, or if this functionality is currently limited to SonarQube Cloud?

Thank you in advance.

Hi,

Welcome to the community!

You’re using Community Build, v25.1, and the docs you cite are for Server, v2025.2. What you’re using is both too old and the wrong product.

 
HTH,
Ann

Oh, I see. I wasn’t aware of that.
Thank you for checking and clarifying.

After confirming the correct product, I found the relevant guide:

I also checked the release notes and confirmed that this feature was introduced in that version.

image747×281 25.1 KB

Thank you for your help.