How to use sonarqube to scan the configuration file

john2 · November 11, 2020, 7:23am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
- Enterprise Edition
- Version 8.5 (build 37579)
what are you trying to achieve
Our engineer also put plain password / apikey / token in the configuration file and push it to the repository. Does these are any solution to scan these configuration files so we can identify the sensitive data? We hope to alert this behavior by sonarqube. Look forward your rely and thanks in advance.

Pierre-Loup_Tristant · November 13, 2020, 7:29am

SonarQube has a Security Hotspot rule to detect hard-coded credential:
https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-2068
The rule is designed to find hard-coded credential in the code but not in configuration files.

Having a secret detection feature is something that might have in next year roadmap.

Do you have concret examples of password / apikey / token leaking into configuration files? Knowing what configuration file are the more sensitive to this problem could help use prioritize.

Thank you.