Secret detection not finding problems on Dockerfile

• which versions are you using: SonarQube 10.8, Scanner based on image sonarsource/sonarqube-scan-action@v3.1.0;
• how is SonarQube deployed: zip;
• what are you trying to achieve: to find secrets on Dockerfiles and .py files;
• what have you tried so far to achieve this: executed multiple scans, updated the SQ Server from 10.6 to 10.8;

On My SQ Enterprise there are projects where we can see secrets but the scan isn’t able to find. Some variable are explicit on its names;

→ python: client_secret, tenant_id, client_id, server_hostname;
→ docker: ENV AWS_BUCKET_NAME, ACCOUNT_NAME, CLIENT_ID, CLIENT_SECRET, AWS_KEY_ID, AWS_ACCESS_KEY;

Even with variables with these names the scan isn’t able to find any issues regarding secrets; and more than that, on some projects SQ doesn’t find any security issues.

Hi,

Your version is past EOL. You should upgrade to either the latest version or the current LTA (long-term active version) at your earliest convenience. Your upgrade path is:

10.8 → 2025.1.1-> 2025.2 (last step optional)

You may find the Upgrade Guide helpful.

If you have questions about upgrading, feel free to open a new thread for that here.

Once you upgrade, you’ll have access to the latest secrets detection rules. If your secrets still aren’t detected then, please do come back to us.

 
Ann

Hi Ann,

Thank you for your answer; I still need some clarification about this.

On SQ Server EE 10.8 we have 122 secrets detection rules, and on the Sonarsource site about rules thats the number of total rules regarding secrets, so, in the end, there are no rules missing on my environment.

Is there anything more on these versions about secrets? And, in this case, I only have the option of start using the LTA version of Sonarqube?

Hi,

On rules.sonarsource.com today I see 256 rules.

And I simply can’t help you with an EOL verson.

 
Ann