- ALM used (GitHub)
- CI system used (GHA)
- Scanner command used when applicable (default GHA workflow)
- Project is mostly Python and shell scripts
- Default Quality Profile for Secrets is the “SonarWay” default one.
I’m trying to figure out why SonarCloud is not detecting secrets in a shell script file in one of my Python projects. There are multiple tokens hard-coded in an
env.sh file that has been committed and I want to make sure those get detected and block merges to the main branch.
But SonarCloud does not detect any vulnerabilities.
What am I missing?