Extend C# rule csharpsquid:S2068 for hard-coded secrets

Hi there,

We use SQ 10.3 CE and found that the built-in C# rule Hard-coded credentials are security-sensitive (csharpsquid:S2068) is looking only for “password, passwd, pwd, passphrase”.
In the rule itself, it is said, “It’s recommended to customize the configuration of this rule with additional credential words such as “oauthToken,” “secret,”…​” and this is exactly what we want to achieve. Unfortunatelly, there is no way to extend the rule and what I was able to find here Adding coding rules (sonarsource.com) is that we need to write a new Roslyn analyzer.
Before dwelling on it, I want to double-check that it is our only option?

Hey there.

You can customize this rule right in the Sonar UI. The only catch is that if you’re using the default Sonar Way, you’ll need to create a new profile (probably extending the Sonar Way) and use that one for your projects.

image1810×930 55.1 KB

Thank you, it works perfectly. However, I couldn’t find any mention of it in the documentation, might be worth adding if I’m correct.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.