Is there any predefined Rule available in javascript to not hard-code credentials and URIs

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Using version 7.9
  • what are you trying to achieve
    If any Credentials(Username&Password) Or URIs are hardcoded in javascript code,then it should show as Vulnerability.
  • what have you tried so far to achieve this
    I tried to find in the rule section,this rule is available for java,c# and etc ,but not for javscript.

Please Suggest if there is any alternative way



Indeed there is no hard-code credentials rule for JS yet. But it should be available in next release (see ticket
For hard-code URI we also don’t have a rule and don’t have plans to implement one (see comment at the bottom

Thanks Elena for Reply ,
In Version 7.1 can We Create Custom Rule for Hardcoded Credentials Or URIs in Javascript.


Are you talking about SQ version 7.1?

Custom rules for JS are deprecated and will be dropped soon. Instead you can create custom ESLint rule and import its results with external issue report.

Yes SQ 7.1

Using SQ 7.1 is not a great idea, as there is LTS (long term support) 7.9 version is released while 7.1 will not be supported anymore. So I recommend to use 7.9 or 8.0 (latest release).