Secret Scanning Profile - Projects show 0 vulnerabilities even when secrets are present

  • ALM used (GitHub)
  • CI system used (GHA)
  • Scanner command used when applicable (default GHA workflow)
  • Project is mostly Python and shell scripts
  • Default Quality Profile for Secrets is the “SonarWay” default one.

I’m trying to figure out why SonarCloud is not detecting secrets in a shell script file in one of my Python projects. There are multiple tokens hard-coded in an file that has been committed and I want to make sure those get detected and block merges to the main branch.

But SonarCloud does not detect any vulnerabilities.

What am I missing?

Hi @mattmencel ,

welcome to the community.
Thanks for your report. My guess is that the file you want the secrets detected in is not in the scope of the analyzer. For performance reasons currently only files are analyzed for secrets which are also touched by other analyzers. We are currently discussing different possibilities to extend the analyzer to other files, up to the whole project. I will keep you informed about a decision here.

Best regards and sorry for the restriction,

A post was split to a new topic: Weird data on the Secrets Quality Profile


This is to keep you informed that we are working on a feature to allow you to define which files shall be scanned to find secrets.

The related ticket is SONARTEXT-79.

Out of the box, Sonar tries to find secrets in files corresponding to a programming language that is supported by Sonar but doesn’t look at other files such as a .conf one for example.
With SONARTEXT-79, Sonar will try to find secrets in all these files .sh,.bash,.zsh,.ksh,.ps1,.yaml,.yml,.properties,.conf,.xml,.pem,.env,.config,.aws/config and you will be able to customize the list.

This should come shortly before the end of October 2023.