I am trying to detect secrets in a JavaScript file rule s2068 works OK if its an exact match
myMerchant: {
merchantId: ‘removed’,
merchantKey: ‘removed’,
merchantSecret: ‘123456789’,
This works with credentialWords: password, pwd, passwd, merchantSecret
But I really want to be able to use regex expression to detect all occurrences like /.secret./gi but I can not get it working
It appears s6418 Hard-coded secrets are security-sensitive does not support JavaScrip
Hi Rick and welcome to the community!
If you have Enterprise Edition, I would recommend to use this feature: Secrets
It allows you to use regular expressions and is the most flexible format.
If you want to understand the logic of S2068 better, you can find the source code here: SonarJS/packages/jsts/src/rules/S2068/rule.ts at master · SonarSource/SonarJS · GitHub
Thank you I will investigate that.
However we are considering moving to SonarCloud which does not allow custom rules or plugins.
Would this approach work on SonarCloud?
Unfortunately, the custom secret pattern feature is not yet available for SonarCloud.
Thank you Hendrik.
I had to create a new quality profile from extending the secrets QP and add the new rule, then add the additional custom profile to my project.
I can’t get case insensitivity to work:
matching:
pattern: ".*secret.*/gmi"
this works
matching:
pattern: ".*secret.*"
but does not pick up this merchantSecret but does pick up this:
I managed to figure it out
matching:
pattern: "(?i).*secret.*"
Thank you for your help
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.