which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Enterprise Edition
Version 8.5 (build 37579)
what are you trying to achieve
Our engineer also put plain password / apikey / token in the configuration file and push it to the repository. Does these are any solution to scan these configuration files so we can identify the sensitive data? We hope to alert this behavior by sonarqube. Look forward your rely and thanks in advance.
Having a secret detection feature is something that might have in next year roadmap.
Do you have concret examples of password / apikey / token leaking into configuration files? Knowing what configuration file are the more sensitive to this problem could help use prioritize.
Blockquote
To scan configuration files in SonarQube, first update your sonar-project.properties to include the file types you want analyzed.
Next, create or import custom rules specifically designed to detect issues in non-code files.
Run the SonarQube scanner to process your project directory along with the configuration files.
Review the results on the SonarQube dashboard, which will display any issues detected by your custom rules.
Finally, use the feedback to adjust your configuration files or rules for improved security and compliance.