Secret scanner misses the identification of login credentials in JS-Code

FSC · March 26, 2025, 4:51pm

In a customer project we do have one JavaScript-file for which we already know that it contains login credentials which are leftover from the development process. The specific snippet are the following lines:

[...] 
FC_DEMO_USER_PASSWORD = 'Firmcloud1!', 
FC_DEMO_USER_NAME = 'customer@firm-cloud.org', FC_SW_USER_PASSWORD = 'Firmcloud1!', 
FC_SW_USER_NAME = 'sandworm@firm-cloud.org', 
[...]

Actually, I do not see that the Developer Edition of the SonarQube server (v2025.1.1) marks these lines as secrets for review under “Issues > Software Quality > Security” or “Security Hotspots”, which I hoped it would do.

I have added the line “**/*.js” to the list of path patterns to include under Administration > Configuration > Languages > Secrets and run a scan on the repository another time. Still, the SonarQube server does not detect these credentials.

Do you have a recommendation which setting I could try to set additionally, or where the lines containing the secret credentials should be listed in the SonarQube server? Or does the secret identification pattern implemented in the server not match to the lines printed above?
Your support would be appreciated.

Yours sincerely.

FSC · March 27, 2025, 7:04am

In addition to my post: Is there the possibility to import the results of other secret searching tools, like truffleHog, gitleaks or noseyparker?

Alexandre_Gigleux · April 30, 2025, 2:10pm

Hello @FSC,

Thanks for your patience. I took the time to work on your case and I believe you are right.
I’ll let you know once the problem is fixed on our hand.

It’s always possible to load results from external linters using the SARIF format: Importing issues from SARIF reports | SonarQube Server Documentation

Regards
Alex

Alexandre_Gigleux · May 19, 2025, 9:33am

Hello @FSC,

Thank you once again for your valuable feedback.

We have updated our analyzer to make rule S2068 case-insensitive, which addresses the false negative you encountered. Additionally, we have aligned the JS/TS implementation with our other languages to support the detection of the keyword “passphrase” by default.

Please let us know if these changes improve your experience or if you have any further suggestions.

Alex

Topic		Replies	Views
Secret Detection Rule s2068 Hard-coded credentials are security-sensitive SonarQube Server / Community Build javascript	6	411	July 24, 2024
Secrets in source code Suggest new features	4	561	October 6, 2022
SonarQube Custom rule for scanning HardCoded Credentials SonarQube Server / Community Build javascript	1	817	July 27, 2018
Is there any predefined Rule available in javascript to not hard-code credentials and URIs SonarQube Server / Community Build javascript , sonarqube	5	637	October 17, 2019
Smarter rule for detection of hardcoded secrets in languages other than Java? New rules / language support rules , secrets	2	467	September 20, 2023

Secret scanner misses the identification of login credentials in JS-Code

Related topics