No warnings about credentials in Nuget.conf

  • SonarCube Developer Edition 9.7

  • I would like to get a Vuln or Bug or Security Hotspot when when scanning a Nuget.conf file containing credentials.

The Nuget.conf file contains the configuration for the .Net package manager, and if such a file is checked in with a credential that is most likely a misstake that needs to be flagged or at least reviewed.

Currently we are getting no bug/vulnerability/Security Hotspot triggered with either sonarcube developer 9.7 or sonarcube lint.

Reference doc:

Example file.

<?xml version="1.0" encoding="utf-8"?>
    <add key="" value="" protocolVersion="3" />
      <add key="Username" value="NuGetter" />
      <add key="ClearTextPassword" value="xxxx" />


Hi @dak,

Thanks for your feedback.

Our Hard-coded credentials are security-sensitive rule does not support NuGet config files.

I have created an issue to handle this request.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.