Great news! Is there anything special to do? My .github/**/*.yml files are not indexed and do not show up in the code tab.
Hi Christopher!
Normally, you shouldn’t have anything specific to do, but it may not already be available depending on your version/scanner.
Are you using SonarQube Server or Cloud? If server, which version?
And which scanner are you using?
Best,
Gabin
Hi @gabin.laigle, we use Data Center Edition v2025.4.3 (113915) and `sonar.scanner.appVersion=7.2.0.5079`
Thanks for your answer! Here is the possible explanation.
Generally, dot files are only shown in the “code” tab if our analysis finds issues in them. This is a design choice to avoid leaking potentially sensitive files if we do not bring any value to them, and to avoid cluttering the UI with files that are intented to be “hidden”.
In your SonarQube Server version, GitHub Actions files are considered as regular dot files (since they are in .github), so they don’t show up in the “code” tab when no issues are reported.
Note that this is no longer true since v2025.5 and on SonarQube Cloud, since we released a dedicated GitHub Actions analyzer!
So I think here you are just lacking valid secrets in your workflows (and that’s great for you!). You can try to commit this fake workflow if you want to make sure that secrets are properly detected:
name: Workflow
on:
push:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Leak secret
run: echo "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"
Let us know if you need anything else 
Thanks, good to know that this feature is just one minor version away!
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.