Hardcoded secrets in YAML not detected

viva · April 15, 2025, 1:58am

It seems like that hardcoded secrets like passwords in the following format are not being detected by SonarQube’s secret detection rules. Anyone knows the reason?

apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
replicas: 3
selector:
matchLabels:
test.kubernetes.io/name: app
template:
metadata:
labels:
test.kubernetes.io/name: app
spec:
containers:
- name: temporal-history
image: “test.sonarqube.io/app”
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_PASSWORD
value: sdtestfdfde123!@test

Thank you in advance.

daniel_teuchert · April 17, 2025, 2:38pm

Hello and thank you very much for your feedback!

This would be a great example for our rule S6437!
Unfortunately this rule is not yet available for Kubernetes.
Since we are constantly improving our secret detection we hopefully can add support for S6437 for Kubernetes in the near future.

I hope this helps. Best regards,
Daniel

Topic		Replies	Views
Secret detection in yaml files SonarQube Server / Community Build scanner , security , secrets , yaml	2	73	November 27, 2024
SonarQube Community Edition: Hardcoded Passwords in Kubernetes config maps SonarQube Server / Community Build sonarqube , kubernetes	4	743	December 16, 2021
Secret Detection does not work SonarQube Server / Community Build secrets	1	26	April 22, 2025
Can't detect password in application.yaml or application.properties of a Java project SonarQube Server / Community Build sonarqube , sonarqube-cloud	1	14	March 24, 2025
Secret detection not finding problems on Dockerfile SonarQube Server / Community Build secrets	3	15	April 3, 2025

Hardcoded secrets in YAML not detected

Related topics