Thanks for your answer! Here is the possible explanation.
Generally, dot files are only shown in the “code” tab if our analysis finds issues in them. This is a design choice to avoid leaking potentially sensitive files if we do not bring any value to them, and to avoid cluttering the UI with files that are intented to be “hidden”.
In your SonarQube Server version, GitHub Actions files are considered as regular dot files (since they are in .github), so they don’t show up in the “code” tab when no issues are reported.
Note that this is no longer true since v2025.5 and on SonarQube Cloud, since we released a dedicated GitHub Actions analyzer!
So I think here you are just lacking valid secrets in your workflows (and that’s great for you!). You can try to commit this fake workflow if you want to make sure that secrets are properly detected:
name: Workflow
on:
push:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Leak secret
run: echo "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"
Let us know if you need anything else ![]()