Hey Colin
I’m using Sonarqube server v10.8.1 developer Edition . We are testing whether secrets are getting detected with Secrete QP. On trying this we are getting some issue, but not relevant issue related to AWS credentials which we are expecting. I also, understand that the language profile when used (standalone) by default scans the code for secrets, even that is giving the same issue posted below .
Hi,
Could you provide a reproducer? I.e. an anonymized code snippet that reproduces the false positive?
Thx,
Ann
Hi,
Thanks for the example. I’ve flagged this for the experts.
Ann
Hi Ankit,
Are you experiencing the same issue with real AWS secrets?
Our secret detection mechanism is pattern-based, and filters out some common placeholders and patterns to avoid raising an issue when on secrets that look invalid to avoid false positives.
In your example, the example value is shorter than expected (40 characters) and does include patterns (“test”, “abcd”, ..) that avoids raising an issue here.
If you just want to see how it looks like, you could use one of the test patterns in the file I linked above.
Best wishes,
Teemu
