This happened using SonarQube Server Enterprise Edition v2025.6.1 (117629)
The scan was completed from an Azure DevOps pipeline using the task SonarQubeAnalyze version 7.4.2
What language is this for?
C#
Which rule?
S6418 (Hard-coded secrets are security-sensitive)
Why do you believe it’s a false-positive/false-negative?
This is a very simple example of the UserSecretsConfig builder for .net framework. It is the accepted best practice for quickly and easily providing secrets to a local instance of a .net framework web app. See this documentation for more details on this setup.
<configuration>
<configBuilders>
<builders>
<add name="Secrets" userSecretsId="2073424b-d6d8-4c0b-9ac1-94a6f55894b9" type="Microsoft.Configuration.ConfigurationBuilders.UserSecretsConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.UserSecrets, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</builders>
</configBuilders>
<appSettings configBuilders="Secrets">
<!-- Nothing relevant within this section. Just typical settings. No secrets. -->
</appSettings>
</configuration>
SonarQube is triggering specifically on the string userSecretsId
It is not flagging an actual secret. The message is:
“userSecretsId” detected here, make sure this is not a hard-coded secret.
There should be some kind of detection that userSecretsId is a common string in web.config files and at least in this specific context this line would never contain an actual secret.
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
You should be able to create a new .net framework web project, install the Microsoft.Configuration.ConfigurationBuilders.UserSecrets NuGet package and add the config portion above if the NuGet package install doesn’t create it for you.