Hello looking for instructions on how to activate secret detection on cloud version?? I committed secrets on purpose and by default they are not getting detected
Hi,
Welcome to the community!
The first thing to do is make sure secrets analysis is not deactivated. It’s on by default, but can be turned off by setting sonar.text.activate=false in your analysis properties.
Then make sure the secrets rules are active in your Quality Profile.
Also, it’s worth mentioning that some secret detection is available in all plans, but advanced secret detection starts in the Enterprise plan($$)
HTH,
Ann
Ok so here how i set things up, i went to https://sonarcloud.io/ , gave it access to few repos inside github, and it automatically started analyzing code, i can see it on the portal, but i dont see any secrets detected, i committed a file full of secrets and nothing on the portal
Hi,
What kinds of files (language, and extension) did you put the secrets in?
Thx,
Ann
ahh, so i put them on a txt file, now that you mentoned that i changed it to a py file, and it detected some secrets…
Here is the file, all secrets are fake, but SQ only detected 4 secrets from this entire file. Is that expected vs all of them?
# TEST FILE FOR SONARQUBE SECRET DETECTION
# WARNING: These are FAKE/TEST secrets only - DO NOT USE IN PRODUCTION
# AWS Credentials
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjE///////////wEaCXVzLWVhc3QtMSJIMEYCIQC...
# GitHub Personal Access Token
GITHUB_TOKEN=ghp_1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
# API Keys
API_KEY=sk_live_1234567890abcdefghijklmnopqrstuvwxyz
STRIPE_SECRET_KEY=sk_test_51Habc123xyz789def456ghi012jkl345mno678pqr
TWILIO_AUTH_TOKEN=1234567890abcdefghijklmnopqrstuvwxyz
# Database Credentials
DATABASE_PASSWORD=SuperSecretPassword123!
MYSQL_PASSWORD=MyP@ssw0rd#2024
POSTGRES_PASSWORD=postgres_secret_2024
MONGODB_PASSWORD=mongo123!@#password
# OAuth Tokens
OAUTH_TOKEN=ya29.a0AfH6SMBx1234567890abcdefghijklmnopqrstuvwxyz
GOOGLE_OAUTH_CLIENT_SECRET=GOCSPX-1234567890abcdefghijklmnopqrstuvwxyz
FACEBOOK_APP_SECRET=1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t
# JWT Tokens
JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# Private Keys (RSA)
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
-----END RSA PRIVATE KEY-----
# Private Keys (SSH)
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAFwAAAAdzc2gtcn
-----END OPENSSH PRIVATE KEY-----
# Auth0 Secrets
AUTH0_CLIENT_SECRET=abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
AUTH0_MANAGEMENT_API_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
# Slack Tokens
SLACK_BOT_TOKEN=xoxb-1234567890-1234567890123-abcdefghijklmnopqrstuvwx
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
# Docker Hub Credentials
DOCKER_PASSWORD=docker_secret_password_12345
DOCKER_REGISTRY_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
# Email SMTP Passwords
SMTP_PASSWORD=email_password_123!@#
MAILGUN_API_KEY=key-1234567890abcdefghijklmnopqrstuvwxyz
# Encryption Keys
ENCRYPTION_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
SECRET_KEY=my-super-secret-key-1234567890abcdefghijklmnopqrstuvwxyz
# Cloud Provider Secrets
AZURE_CLIENT_SECRET=abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
GCP_SERVICE_ACCOUNT_KEY={"type":"service_account","project_id":"test-project","private_key_id":"1234567890abcdef"}
# Payment Gateway Secrets
PAYPAL_CLIENT_SECRET=abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
SQUARE_ACCESS_TOKEN=sq0atp-1234567890abcdefghijklmnopqrstuvwxyz
# Social Media API Keys
TWITTER_BEARER_TOKEN=AAAAAAAAAAAAAAAAAAAAA1234567890abcdefghijklmnopqrstuvwxyz
INSTAGRAM_ACCESS_TOKEN=IGQWRN1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
# Generic Secrets
SECRET=my_secret_value_12345
PASSWORD=TestPassword123!
TOKEN=token_1234567890abcdefghijklmnopqrstuvwxyz
Hi,
Thanks for the update.
Excellent question! I’m going to flag this for the language experts.
Ann
Hello @tacta! Welcome to the community 
First of all, note that if you want to analyze .txt files (or any specific file extension) for secrets, you can do so by adding the extension to the sonar.text.inclusions property. You can find it in your project settings in SonarQube Cloud (on your project page, “Administration” > “General Settings” > “Languages” > “Secrets”).
As for the specific secrets you’re trying to detect, almost all are not detected because they are looking “too fake”, so we don’t detect them to avoid creating noise in your workflow! Here is a detailed breakdown:
MYSQL_PASSWORD,POSTGRES_PASSWORD,JWT_SECRET, Private keys (RSA & SSH),PASSWORD: detectedAWS_ACCESS_KEY_ID: non-sensitive, it’s an ID not a secretAWS_SECRET_ACCESS_KEY: fake, containsEXAMPLEAWS_SESSION_TOKEN,AUTH0_MANAGEMENT_API_TOKEN,DOCKER_REGISTRY_TOKEN: incompleteGITHUB_TOKEN,API_KEY,TWILIO_AUTH_TOKEN,OAUTH_TOKEN,GOOGLE_OAUTH_CLIENT_SECRET,SLACK_BOT_TOKEN,MAILGUN_API_KEY,ENCRYPTION_KEY,SECRET_KEY,GCP_SERVICE_ACCOUNT_KEY,SQUARE_ACCESS_TOKEN,TWITTER_BEARER_TOKEN,INSTAGRAM_ACCESS_TOKEN,SECRET,TOKEN: fake, contains123456STRIPE_SECRET_KEY: it’s a test key (sk_test) and is not the right length for Stripe keysDATABASE_PASSWORD,MONGODB_PASSWORD,DOCKER_PASSWORD,SMTP_PASSWORD: fake, containspasswordFACEBOOK_APP_SECRET: not the right length for a Facebook App key, should be 32 charsAUTH0_CLIENT_SECRET: not the right length for an Auth0 secret, should be 64 charsPAYPAL_CLIENT_SECRET: not the right format, should start withE[A-Z]and have 78 chars
You can trust that SonarQube will protect you if you’re leaking real secrets. Here is your file, but with “real-looking” values:
# AWS Credentials
AWS_ACCESS_KEY_ID=ASIAIOSFODNN7GUTXNEL
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzP+jR7+38k+As5LshPIjvtpswqGb
AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEKL//////////wEaDGV1LWNlbnRyYWwtMSJHMEUCIQDFlDUEvUa6slxlkKKn8zbLkN/j1f7lKJdXJ03PQ5T5ZwIgDYlshciO8nyfnmjUfFy4I2+rEuPHBe"
# GitHub Personal Access Token
GITHUB_TOKEN=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
# API Keys
API_KEY=V1Vu1kkTwGAQJqz0szrBqQ9LYg0K4rpi
STRIPE_SECRET_KEY=sk_live_kiSSAXe2IyGNvprHode7efRT
TWILIO_SID=SK14ba7791f143ac398504503c86a596bd
TWILIO_AUTH_TOKEN=7ea29c19d04523dca055c04add3bbaad
# Database Credentials
DATABASE_PASSWORD=7QPSMLv7oBT4
MYSQL_PASSWORD=7QPSMLv7oBT4
POSTGRES_PASSWORD=7QPSMLv7oBT4
MONGODB_PASSWORD=7QPSMLv7oBT4
# OAuth Tokens
OAUTH_TOKEN=V1Vu1kkTwGAQJqz0szrBqQ9LYg0K4rpi
GOOGLE_KEY=573596364929-intnbplawt4tu1mrpvyijnwvdyagv9mt.apps.googleusercontent.com
GOOGLE_OAUTH_CLIENT_SECRET=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
FACEBOOK_ID=023039123091238
FACEBOOK_APP_SECRET=a569a8eee3802560e1416edbc4ee119d
# JWT Tokens
JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# Private Keys (RSA)
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
-----END RSA PRIVATE KEY-----
# Private Keys (SSH)
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAFwAAAAdzc2gtcn
-----END OPENSSH PRIVATE KEY-----
# Auth0 Secrets
AUTH0_CLIENT_SECRET=UivcLTuVzhl04sB4dmr2x4oThNPXrPvi6bhIxu8FNNyRR12Izx_CRbAx7SuFf8cX
AUTH0_MANAGEMENT_API_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# Slack Tokens
SLACK_BOT_TOKEN=xoxb-592666205443-2542034435697-FM7vdsq184d0G5vBNiOq8MSF8t7
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/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
# Docker Hub Credentials
DOCKER_PASSWORD=7QPSMLv7oBT4
DOCKER_REGISTRY_TOKEN=dXNlcm5hbWU6c3VwZXJzZWNyZXRwYXNzd29yZA
# Email SMTP Passwords
SMTP_PASSWORD=7QPSMLv7oBT4
MAILGUN_API_KEY=key-9392bf4edd483c111748f422750442fe
# Encryption Keys
ENCRYPTION_KEY=V1Vu1kkTwGAQJqz0szrBqQ9LYg0K4rpi
SECRET_KEY=V1Vu1kkTwGAQJqz0szrBqQ9LYg0K4rpi
# Cloud Provider Secrets
AZURE_CLIENT_SECRET=V1Vu1kkTwGAQJqz0szrBqQ9LYg0K4rpi
GCP_SERVICE_ACCOUNT_KEY={"private_key": "-----BEGIN PRIVATE KEY-----\nKBww9jggAgBEHBCBAASIMDsoCBAuAQINAgFAGSXQTkiAE0cEIkoQghJAqGavB/r3\n2W6raHa1Qrfj6pii5U2Ok53SxCyK3TxYc3Bfxq8orZeYC9LQ/I3tz7w4/BnT71AD\nfP1i8SWHsRMIicSuVFcRoYMA+A1eNSmdrujdBNWgedfuSyHbPnNY7s8BBUIoBN7I\n8gJG5DUUKAZfZDB2c/n7Yu0=\n-----END PRIVATE KEY-----\n","auth_uri": "https://accounts.google.com/o/oauth2/auth"}
# Payment Gateway Secrets
PAYPAL_CLIENT_SECRET=EIgoolo7aemaiYeil0OfeabahgeiThohtoonizouwoohahmoi2hai6ohg4nohwie4ou0Tha4zei8raeX
SQUARE_ACCESS_TOKEN=sq0csp-DhS0-uamQ8WJeo9Oba-zeu5XePXXhgbTpL1_ESlucM0
# Social Media API Keys
TWITTER_BEARER_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
INSTAGRAM_ACCESS_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# Generic Secrets
SECRET=iN1KtmV2xIgdtOs1la7ugo1Pt7gLDjykprJsTELMuULRJQrlBoftwZn92Redve5k
PASSWORD=7QPSMLv7oBT4
TOKEN=iN1KtmV2xIgdtOs1la7ugo1Pt7gLDjykprJsTELMuULRJQrlBoftwZn92Redve5k
Note that, for the generic secrets, more rules will be released this week on SonarQube Cloud!
Let us know if we can help with anything else
Best,
Gabin
1 Like