Scanning not taking named env files into account

When trying out the security scanner, it seems as named .env files (e.g. local.env, remote.env, testing.env) are not taken into account in the security scan. We tried uploading a fake password, and it was not detected.

We’re using GitHub - SonarSource/sonarqube-scan-action · GitHub . We didn’t specify that these files should be excluded. We saw that there are some issues w.r.t. hidden files & security scanning, but these files are not hidden. Other files in the folder are found during the scan. These files are also not excluded in the .gitignore

Does anyone know what might be happening here?

Hi,

Welcome to the community and thanks for this report!

What plan are you on?

 
Thx,
Ann

Hi G Ann, we’re currently on the Teams plan.

Hi,

I was thinking secrets detection might have different capabilities in SonarQube Cloud depending on your plan, but it looks like I was wrong.

I think what’s going on here is that we scan “dotfiles” for secrets, not the .env file extension.

Explicitly, if these files were .localenv and .remoteenv instead of local.env and remote.env, they would be scanned. As it is, I think they’re not recognized. I’m going to flag this for the developers.

 
Ann

Great, thanks!

Hello and thank you for your message,
I think Ann has summarized it well. If you want that these files to be picked up by our secret detection you can use the sonar.text.inclusions property.

Best,
Daniel

Hello,
I have one more update on this topic.
We have decided to also pick up something.env files automatically.
This change should soon be released.

Thank you again for your post!

Best,
Daniel