Secret Scanning Profile - Projects show 0 vulnerabilities even when secrets are present

mattmencel · August 15, 2023, 6:11pm

ALM used (GitHub)
CI system used (GHA)
Scanner command used when applicable (default GHA workflow)
Project is mostly Python and shell scripts
Default Quality Profile for Secrets is the “SonarWay” default one.

I’m trying to figure out why SonarCloud is not detecting secrets in a shell script file in one of my Python projects. There are multiple tokens hard-coded in an env.sh file that has been committed and I want to make sure those get detected and block merges to the main branch.

But SonarCloud does not detect any vulnerabilities.

What am I missing?

Nils_Werner · August 18, 2023, 11:20am

Hi @mattmencel ,

welcome to the community.
Thanks for your report. My guess is that the file you want the secrets detected in is not in the scope of the analyzer. For performance reasons currently only files are analyzed for secrets which are also touched by other analyzers. We are currently discussing different possibilities to extend the analyzer to other files, up to the whole project. I will keep you informed about a decision here.

Best regards and sorry for the restriction,
Nils

Alexandre_Gigleux · September 7, 2023, 1:31pm

A post was split to a new topic: Weird data on the Secrets Quality Profile