which versions are you using: sonarqube:2025-lta-developer
how is SonarQube deployed: Docker
what are you trying to achieve: scan sensitive values in my bitbucket repository
what have you tried so far to achieve this: hardcoded keys, secrets and token in Dockerfile, enabled secrets in Administration>configuration>languages>secrets
added Dockerfile, **/.py, **/.ts, **/*.js etc in the list
it was only able to detect ENV GOOGLE_API_KEY as a security issue.
I want enable sonar secret scanning for all repositories in my project. Hence, for a test i intentionally added these secrets in my Dockerfile and sonarqube failed to detect it. what am i missing?
Hey @sbhaskar, welcome to the community and thanks for your question!
There are several reasons why you may find fewer results than expected:
Some of your secrets may look “too fake” or like placeholders, so our analyzer is not raising them as an issue to avoid noisy false positives.
For specific secret providers, we may not currently support their specific pattern. For example, Twilio secrets have only recently been added to SonarQube Cloud in beta and should be part of the next SonarQube Server LTA release.
For generic secrets like password, api_key etc, these would fall under the S2068 and S6418 rules. These rules are currently not supported for Docker but could be in the future.
Here is a snippet of a Dockerfile that would raise issues:
FROM scratch
ENV AWS_SECRET_ACCESS_KEY="kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb"
ENV GITHUB_TOKEN="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"
ENV GOOGLE_API_KEY="AIzaf4Six4MjGwxvkarrf1LPUaCdyNSjzsyIoRI"
ENV SLACK_BOT_TOKEN="xoxb-592666205443-2542034435697-FM7vdsq184d0G5vBNiOq8MSF8t7"
ENV STRIPE_SECRET_KEY="sk_live_kiSSAXe2IyGNvprHode7efRT"
RUN curl -u "me:password" https://example.com
RUN mysql --password=MySuperPassword db_name
Again, thanks for your feedback, it greatly help us to improve our products
