Hello,
We host an Enterprise Edition Version 9.9.4 (build 87374) on-premise for all our internal projects. I mainly work on PHP projects, but our configuration is written in YAML since we are using the Symfony framework.
I tried to clean up the code of an old project with a lot of legacy as much as possible, and my current task is to remove all hard-coded passwords, tokens, or certificates from the codebase. With detect-secrets, I have a lot of results, and I wanted to cross-check them with Sonar results. I noticed that secrets detection is done correctly in PHP code, but all YAML files are ignored.
After checking the configuration, I don’t see where we can activate this detection.
I see in some other topics that my Sonar version doesn’t have any rules for YAML, but I think that maybe TextAndSecretsSensor should be able to check those files. (I don’t have the sonar.text.excluded.file.suffixes config in my sonar-project.properties).
I tried to add sonar.text.inclusions=**/*.sh, **/*.php, **/*.xml, **/*.css, **/*.yaml, **/*.yml, **/*.json, **/*.html, **/*.phtml in my sonar-project.properties to force analyse but there is still not results
If not, does anybody know a Sonar plugin that can do the job ?
Thanks for help,
Arnaud