Introducing SonarQube Secrets CLI

Hello,

I’m excited to share that we have just launched the beta version of the SonarQube Secrets CLI, and anyone can now request access.

Sonar already provides a highly efficient way to detect leaking secrets, tokens, and passwords in your codebase at various stages of the development cycle. This detection can be performed within your CI/CD pipelines or directly in your IDE via SonarQube for IDE. While these tools are powerful, they don’t strictly prevent findings from being ignored and as we all know, once a secret reaches a Git repository, it is already too late.

This is why we developed the Secrets CLI. It delivers the same detection power but prevents the commit from occurring in the first place. By utilizing a pre-commit hook, the Secrets CLI ensures that secrets are removed before a commit can be finalized.

This tool comes at no additional cost. It is available to anyone with a SonarQube Cloud account or a commercial edition of SonarQube Server.

Check it out and let me know what you think.

Alex

Egar to learn more on this. i did signup. but shows “You have been waitlisted”. we want to detect secerts / token from all GITLAB projects without installing sensors for each project in CI/CD pipeline. can we achive this using this Secrets CLI ? Can we connect some time next week ?

Hello,

I’m not sure to understand “You have been waitlisted”.

The Secrets CLI was repackaged as a component of the SonarQube CLI and you can use it now without waiting.
You can access the SonarQube CLI here: https://docs.sonarsource.com/sonarqube-cli/quickstart-guide

The primary goal of the SonarQube CLI is to use it on developers’s machine not in the CI/CD pipeline where for that, you can just run a Sonar scan and you will get the secrets scanning enabled.

Regards
Alex