Hardcoded secrets in YAML not detected

It seems like that hardcoded secrets like passwords in the following format are not being detected by SonarQube’s secret detection rules. Anyone knows the reason?

apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
replicas: 3
selector:
matchLabels:
test.kubernetes.io/name: app
template:
metadata:
labels:
test.kubernetes.io/name: app
spec:
containers:
- name: temporal-history
image: “test.sonarqube.io/app”
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_PASSWORD
value: sdtestfdfde123!@test

Thank you in advance.

Hello and thank you very much for your feedback!

This would be a great example for our rule S6437!
Unfortunately this rule is not yet available for Kubernetes.
Since we are constantly improving our secret detection we hopefully can add support for S6437 for Kubernetes in the near future.

I hope this helps. Best regards,
Daniel

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Late is better than never. Sonar is now able to detect the case you shared with us.

See Sonar now analyzes YAML and JSON files for secrets for more details.