Issue : SonarCloud Scanner is not able to identify the .env files for our project. The code Tab in sonar cloud does not list the .env files. They are not analyzed.
Details:
- sonar.text.activate has been enabled / set to true under Secrets language analyzer.
- The regex path for secrets file identification is also updated and in line with our naming for .env. In UI it is available under option secrets β List of file path patterns to include.
- The .env file was indexed as null initially by Sonar . We set sonar.lang.patterns.secrets for the .env file pattern and it started indexing the .env file as secrets as expected.
- sonar.scanner.excludeHiddenFiles is also set to false just incase if its being skipped as hidden file Reference from documentation -(Secrets | SonarQube Cloud Documentation)
But still the scanner misses the .env file and security issues are not flagged by sonar for exposed creds. The sonar cloud code tab does not show the the .env files and I can confirm its not part of any exclusion configs as well.
CI system used : Bitbucket Pipelines
Latest scanner version used - pipe: sonarsource/sonarcloud-scan:4.1.0
Issue Priority : Critical
Please check this issue.
Hi Ashok,
there could be a couple of things going on causing the secrets not being detected, so let us figure out together why it is not working for you.
First, in order for scanner to analyze hidden dot files, it is necessary that they are being tracked in Git. I assume that is the case as you mention using bitbucket pipelines, but just want to confirm.
Secondly, does the file contain real secrets or just some placeholder values? Would it be possible to give an example, or at least let us know which types of secrets you are expecting to find in your .env file? Note, that if there are no issues found in hidden files, they are not shown in SonarQube Cloud.
What you could try is to copy the exact example secret from the rule page to your .env file. You can find an example from the example section underneath the βHow can I fix itβ tab. For example, for SonarQube tokens, in Secrets static code analysis you can find props.set("sonar_secret", "squ_b4556a16fa2d28519d2451a911d2e073024010bc") // Noncompliant which should be detected correctly.
If an example from the documentation is detected correctly, it means that your secrets do not match to our configured patterns and it would be useful to know what kind of secrets these are. If it is not being detected in a hidden file, we need to investigate more why the file is not being analyzed. You could double check to see if it is detected in a regular file to be sure that everything else is functioning correctly.
Let me know how it goes!
Best wishes,
Teemu R.
1 Like