Is it possible to find secrets in .env and .gitlab-ci.yml?

tanian.cmc · June 3, 2024, 5:01am

which versions are you using (SonarQube 10.5)
how is SonarQube deployed: Docker
I need to see secrets from .env and .gitlab-ci.yml files in Sonar
I tried to follow this manual but it says that files beginning with dot will not be analyzed. And then I tried to use truffelhog integration, everything works good except for these two files.

INFO: Sensor Import external issues report
INFO: Imported 3 issues in 2 files
INFO: External issues ignored for 2 unknown files, including: .env, .gitlab-ci.yml
INFO: Sensor Import external issues report (done) | time=52ms

Why are they ignored? Is it somehow possible to make Sonarqube see those secrets? we have UNIX based systems everywhere. Thank you very much for any piece of advice!

denis.troller · June 4, 2024, 8:43am

Thank you @tanian.cmc, and Welcome to the community!

We are aware that the sensors currently ignore dot-prefixed files. This is on the list of issues we are considering. I will add a note of your post to link to it.

Denis

tanian.cmc · June 4, 2024, 11:22am

Thank you Denis! I will be waiting for the news!

Topic		Replies	Views
The file .env is not analyzed SonarQube Server / Community Build	8	61	October 23, 2024
Secret detection in yaml files SonarQube Server / Community Build scanner , security , secrets , yaml	2	57	November 27, 2024
External issues ignored SonarQube Server / Community Build	14	419	January 24, 2024
Adding a new costume roles to check if the .env file is encrypted or not! SonarQube Server / Community Build sonarqube , scanner , secrets	6	144	April 15, 2024
External Issues ignored by sonarqube-scan-actions SonarQube Server / Community Build sonarqube , scanner	7	1257	May 26, 2023

Is it possible to find secrets in .env and .gitlab-ci.yml?

Related topics