Secrets in source code

We need to identify in our source code any hard-coded secrets (Pwd, Token_Api, …).
The SonarCloud S2068 rule we currently use identifies secrets using a comparison between variable names and a list of keywords configured on SonarCloud. As you can imagine this option is limited.
Do you have any solution/rule that allow for more complete detection of secrets through for example : Regex rules? High Entropy string detection? Other solutions? If not, what do you recommend?

Hello mazza and welcome to the community!

What language are you talking about? For Java, we just released a new rule: Credentials should not be hard-coded (S6437). It identifies hard-coded credentials by looking for known password-accepting methods.

Other than that, I do not think there is currently a rule that allows you to do what you asked for in SonarCloud. My recommendation here would be to use an external script that uses your desired approach to detect additional hard-coded secrets and then import the issues: Generic Issue Data | SonarCloud Docs

1 Like

It 's for C# and scala

Thanks for the update! It is not unlikely that S6437 will also come for other languages but there are no concrete plans yet. So I would recommend going with the Generic Issue Data import.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.