.config files should be parsed as text as well as XML files. Also I’m trying to understand if and how SonarCloud password rules can be configured. e.g. rule “Hard-coded secrets are security-sensitive” (java:S6418) states:
Parameters
credentialWords Comma separated list of words identifying potential credentials
Default Value:
password,passwd,pwd
How can the SonarCloud default configurations be changed for credentialWords? Is this only supported in SonarQube? It would be great to have this in SonarCloud as well. The filter could also be extended with other defaults to find more secrets.
As OP mentioned developers often store secrets such as DB credentials, tokens, passwords, salts in .config files and there are rules for finding password strings in text files. As it turns out these rules are not applied to the files.
Thanks for your support.