Secret detection does not work with sonarqube community edition 25.3.0 for non-code files like ini

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension) 25.3.0.104237
• how is SonarQube deployed: zip
• what are you trying to achieve : secret detection like api_key, API_KEY, PASSWORD in ini files and .py files on my local mac
• what have you tried so far to achieve this : I tried doing secret detection in my example.py script and test.ini files but sonarqube fails to detect such sensitive content although i have properly defined qualitygate and qualityprofile but 0 vulnerabilities are reported as part of sonar-scanner

can you please clarify is secret detection is available in community edition ? if not, could you guide me on which edition i would need to access this feature ?

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hey there.

Some secret detection is available in Community Build.

You can check exactly what secrets by navigating to the Rules tab of your instance and filtering to the Sonar Secretes Analyzer repository.

image338×229 9.09 KB

As mentioned i have configured properly Quality profile to use those 29 rules, but Sonarqube community edition only detects sensitive content like “aws-secret-access-key” as part of the code python or java file but not in any non code file like config.ini, properties file . sensitive content can be in non code files also and not necessarily always in language specific files .py , .java etc

so for file like below config.ini which exists along with python files , then sonarqube is having limited ability to detect only in .py file “aws-secret-access-key” but not in config.ini
Also sonarqube example in secrets example say same , please see screenshot
screenshot gives example of a code and not from non code file

sonar_secret1093×779 67.2 KB

sample config.ini contents

[dev]
aws-secret-access-key = "abcdckefghgj"
password = test
username = test

Also sonar logs prove same that sonar ignores text based files like config.ini

18:57:39.033 DEBUG Available languages:
18:57:39.033 DEBUG   * Python => "py"
18:57:39.033 DEBUG   * IPython Notebooks => "ipynb"
18:57:39.033 DEBUG   * Terraform => "terraform"
18:57:39.033 DEBUG   * CloudFormation => "cloudformation"
18:57:39.033 DEBUG   * Kubernetes => "kubernetes"
18:57:39.034 DEBUG   * Docker => "docker"
18:57:39.034 DEBUG   * AzureResourceManager => "azureresourcemanager"
18:57:39.034 DEBUG   * YAML => "yaml"
18:57:39.034 DEBUG   * JSON => "json"
18:57:39.034 DEBUG   * Text => "text"
18:57:39.034 DEBUG   * Secrets => "secrets"
18:57:39.035 INFO  Indexing files...
18:57:39.035 INFO  Project configuration:
18:57:39.035 INFO    Included sources: **/*.py, **/*.ini
18:57:39.043 DEBUG 'bap.py' indexed with language 'py'
18:57:39.047 DEBUG 'config.ini' indexed with no language
18:57:39.047 DEBUG 'app.py' indexed with language 'py'
18:57:39.047 DEBUG 'testp/bap.py' indexed with language 'py'
18:57:39.048 DEBUG 'testp/config.ini' indexed with no language
18:57:39.049 DEBUG 'testp/app.py' indexed with language 'py'
18:57:39.049 DEBUG 'sensitive.py' indexed with language 'py'
18:57:39.050 INFO  7 files indexed
18:57:39.051 INFO  Quality profile for py: Sonar way




18:57:39.726 DEBUG Input files for indexing: [testp/bap.py, testp/app.py, app.py, bap.py, sensitive.py]
18:57:39.728 INFO  Starting global symbols computation
18:57:39.729 INFO  5 source files to be analyzed
18:57:39.744 DEBUG 'testp/bap.py' generated metadata with charset 'UTF-8'
18:57:40.053 DEBUG 'testp/app.py' generated metadata with charset 'UTF-8'
18:57:40.087 DEBUG 'app.py' generated metadata with charset 'UTF-8'
18:57:40.115 DEBUG 'bap.py' generated metadata with charset 'UTF-8'
18:57:40.140 DEBUG 'sensitive.py' generated metadata with charset 'UTF-8'
18:57:40.172 INFO  5/5 source files have been analyzed
18:57:40.205 INFO  Starting rules execution
18:57:40.206 INFO  5 source files to be analyzed
18:57:40.792 INFO  5/5 source files have been analyzed

Hey @Ripunjay

Thanks for clarifying that the secret is in a config.ini file.

You’ll have to add .ini files to sonar.text.inclusions as documented here. This also relies on your config.ini file being checked into Git.

After adding **/*.ini under Project Settings > General Settings > Languages > Secrets > List of file path patterns to include:

image1163×678 47.3 KB

I get an issue raised:

image1651×386 29.7 KB

You can also add this at the instance-level if you want to configure this for all projects (just navitage to the same setting in the global Administration).

Thanks for your reply. Please see screenshots and kindly help please.
Please see below log
I have configured and checked my project settings and as well administrator settings that properties “sonar.text.activate” and “sonar.text.inclusions” are activated but it does not detect my files like config.ini, *.pem files
Also I have cloned all files from git on my local terminal before running below command

sonar-scanner -Dsonar.projectKey=check_secret -Dsonar.sources=. -Dsonar.host.url=http://localhost:9000 -Dsonar.token=sqp_dtest

Please advise if there are any other params which we need to enable while running sonar-scanner so that files like config.ini can be picked up.
Why does for “quality gate secrets”, it says never used.
Also in sonar-scanner logs it says ‘config.ini’ indexed with no language.
Any idea ?

quality_profile_secret_not_used1033×410 27.6 KB

Qualityprofiles1918×551 34.9 KB

22:42:24.053 DEBUG 14 non excluded files in this Git repository
22:42:24.079 INFO  1 language detected in 12 preprocessed files
22:42:24.079 INFO  0 files ignored because of scm ignore settings
22:42:24.081 INFO  Loading plugins for detected languages
22:42:24.082 DEBUG Detected languages: [py]
22:42:24.082 INFO  Load/download plugins
22:42:24.092 INFO  Load/download plugins (done) | time=10ms
22:42:24.092 DEBUG Optional language-specific plugins not loaded: [csharp, flex, go, web, javasymbolicexecution, java, javascript, kotlin, php, ruby, sonarscala, vbnet, xml]
22:42:24.095 DEBUG Plugins loaded:
22:42:24.096 DEBUG   * Python Code Quality and Security 5.0.0.20426 (python)
22:42:24.159 INFO  Load project repositories
22:42:24.159 DEBUG --> GET http://localhost:9000/batch/project.protobuf?key=check_secret
22:42:24.166 DEBUG <-- 200 http://localhost:9000/batch/project.protobuf?key=check_secret (7ms, 288-byte body)
22:42:24.272 INFO  Load project repositories (done) | time=114ms
22:42:24.284 DEBUG Available languages:
22:42:24.284 DEBUG   * Python => "py"
22:42:24.284 DEBUG   * IPython Notebooks => "ipynb"
22:42:24.285 DEBUG   * Terraform => "terraform"
22:42:24.285 DEBUG   * CloudFormation => "cloudformation"
22:42:24.285 DEBUG   * Kubernetes => "kubernetes"
22:42:24.285 DEBUG   * Docker => "docker"
22:42:24.285 DEBUG   * AzureResourceManager => "azureresourcemanager"
22:42:24.286 DEBUG   * YAML => "yaml"
22:42:24.286 DEBUG   * JSON => "json"
22:42:24.286 DEBUG   * Text => "text"
22:42:24.287 DEBUG   * Secrets => "secrets"
22:42:24.287 INFO  Indexing files...
22:42:24.287 INFO  Project configuration:
22:42:24.294 DEBUG 'sensitive.properties' indexed with no language
22:42:24.297 DEBUG 'test.ini' indexed with no language
22:42:24.297 DEBUG '1.pem' indexed with no language
22:42:24.297 DEBUG 'README.md' indexed with no language
22:42:24.298 DEBUG '2.pem' indexed with no language
22:42:24.298 DEBUG 'config.ini' indexed with no language
22:42:24.299 DEBUG 'sonar-project.properties' indexed with no language
22:42:24.300 DEBUG 'sonar-project.ini' indexed with no language
22:42:24.301 DEBUG 'app.py' indexed with language 'py'
22:42:24.302 DEBUG 'sensitive.py' indexed with language 'py'
22:42:24.302 DEBUG 'sonar-project-2.properties' indexed with no language
22:42:24.303 DEBUG 'awssecret/config.ini' indexed with no language
22:42:24.304 INFO  12 files indexed
22:42:24.305 INFO  Quality profile for py: Sonar way

22:42:24.948 INFO  Sensor Python Sensor [python]
22:42:24.952 WARN  Your code is analyzed as compatible with all Python 3 versions by default. You can get a more precise analysis by setting the exact Python version in your configuration via the parameter "sonar.python.version"
22:42:24.969 DEBUG Input files for indexing: [app.py, sensitive.py]
22:42:24.971 INFO  Starting global symbols computation
22:42:24.972 INFO  2 source files to be analyzed
22:42:24.985 DEBUG 'app.py' generated metadata with charset 'UTF-8'
22:42:25.304 DEBUG 'sensitive.py' generated metadata with charset 'UTF-8'
22:42:25.340 INFO  2/2 source files have been analyzed
22:42:25.372 INFO  Starting rules execution
22:42:25.372 INFO  2 source files to be analyzed
22:42:25.569 DEBUG Symbol _Never has conflicting fully qualified names:typing_extensions.Never,typing.Never
22:42:25.569 DEBUG It has been disambiguated with its latest Python version available symbol.
22:42:25.879 INFO  2/2 source files have been analyzed
22:42:25.879 INFO  The Python analyzer was able to leverage cached data from previous analyses for 0 out of 2 files. These files were not parsed.
22:42:25.880 DEBUG Collected metric: PYTHON_VERSION_SET_KEY=0
22:42:25.880 DEBUG Collected metric: PYTHON_DATABRICKS_FOUND=0

22:42:26.435 INFO  Using git CLI to retrieve untracked files
22:42:26.491 INFO  Analyzing language associated files and files included via "sonar.text.inclusions" that are tracked by git
22:42:26.494 DEBUG '1.pem' generated metadata with charset 'UTF-8'
22:42:26.495 DEBUG 'sonar-project.properties' generated metadata with charset 'UTF-8'
22:42:26.495 DEBUG 'config.ini' generated metadata with charset 'UTF-8'
22:42:26.496 DEBUG 'sensitive.properties' generated metadata with charset 'UTF-8'
22:42:26.497 DEBUG 'awssecret/config.ini' generated metadata with charset 'UTF-8'
22:42:26.498 DEBUG '2.pem' generated metadata with charset 'UTF-8'
22:42:26.499 DEBUG 'test.ini' generated metadata with charset 'UTF-8'
22:42:26.500 DEBUG 'sonar-project.ini' generated metadata with charset 'UTF-8'
22:42:26.500 DEBUG 'sonar-project-2.properties' generated metadata with charset 'UTF-8'
22:42:26.512 INFO  11 source files to be analyzed
22:42:26.540 INFO  11/11 source files have been analyzed
22:42:26.541 INFO  Sensor TextAndSecretsSensor [text] (done) | time=557ms

config_check1382×146 7.47 KB

Can someone please help here

Please do not bump threads.

I created a topic, when can I expect a response?

This is an open community with people volunteering their free time to provide assistance. We’re eager to contribute to the community, but you are not guaranteed a fast response.

Be patient

• Wait a few days before bumping a topic that hasn’t received a response.

Hey again.

As far as the scanner logs go, everything looks correct.

What I doubt is correct is the secret you’re trying to pick up. The scanner will only detect real secrets, and do its best to filter out false-positives. Your key starts with abcd, which is filtered out by the rule.

I suggest you try the example in the rule description, kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb.

Blockquote
In SonarQube Community Edition 25.3.0, secret detection is limited and does not work effectively for non-code files like .env, .txt, or configuration files. The Community Edition primarily focuses on code analysis and lacks built-in secret scanning for non-code content. To detect secrets in such files, users must rely on external tools like Gitleaks or TruffleHog. The Enterprise Edition of SonarQube includes advanced secret detection capabilities. For comprehensive scanning, integrating third-party security tools alongside SonarQube is recommended.

I tried with above suggestion also , it did not work.
Based on other user comment seems this is not supported in In SonarQube Community Edition 25.3.0

[dev]
aws-secret-access-key = "kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb"
password = test
username = test

I’m using Community Build 25.3, and the issue is being raised. @Ikrash_Saif is incorrect.

But this is not correct ,you also felt that logs and all seemed fine. what further can be done to debug this issue/behaviour ?

what bothers me is why “quality profile” for secrets is shown as never used . means its not getting picked up. although in scanner context it does say files which are included and same files are reflected in logs as well.
something is not good with secret detection feature in sonarqube CE

00:51:53.992 INFO  Using git CLI to retrieve untracked files
00:51:54.033 INFO  Analyzing language associated files and files included via "sonar.text.inclusions" that are tracked by git
00:51:54.036 DEBUG '1.pem' generated metadata with charset 'UTF-8'
00:51:54.038 DEBUG 'sonar-project.properties' generated metadata with charset 'UTF-8'
00:51:54.038 DEBUG 'config.ini' generated metadata with charset 'UTF-8'
00:51:54.039 DEBUG 'sensitive.properties' generated metadata with charset 'UTF-8'
00:51:54.040 DEBUG 'awssecret/config.ini' generated metadata with charset 'UTF-8'
00:51:54.040 DEBUG '2.pem' generated metadata with charset 'UTF-8'
00:51:54.041 DEBUG 'test.ini' generated metadata with charset 'UTF-8'
00:51:54.042 DEBUG 'sonar-project.ini' generated metadata with charset 'UTF-8'
00:51:54.043 DEBUG 'sonar-project-2.properties' generated metadata with charset 'UTF-8'
00:51:54.054 INFO  11 source files to be analyzed
00:51:54.082 INFO  11/11 source files have been analyzed
00:51:54.083 INFO  Sensor TextAndSecretsSensor [text] (done) | time=470ms

  - sonar.text.inclusions=/Users/abcde/Downloads/abcd_poc/test-python/test-sonar/test.ini,config.ini,test.ini,**/*.py,**/*.ini,**/*.properties,**/*.pem
  - sonar.token=******

quality_gate_secrets_shows_nver_used_why1018×367 28.3 KB