Smarter rule for detection of hardcoded secrets in languages other than Java?


used java:S2068 Java static code analysis: Hard-coded passwords are security-sensitive in the past, got a lot of false positives, and switched to java:S6418 Java static code analysis: Hard-coded secrets are security-sensitive which works fine.

Details here Why SonarQube 9.9 LTS is a must-have for Java developers

Now my question is, will this smarter rule for detecting hardcoded secrets also be available for other languages besides Java ?

Even in the latest version Sonarqube 10.2 such a rule exists only for Java.


Yes, that’s the plan to reduce the scope of S2068 which is too broad, and to add S6418 for JS/TS, C#, Python, and PHP to start with, before extending to other languages.

Have in mind that in parallel to this effort we are extending secret patterns supported by our Secret Detection engine. It should reach 100+ patterns supported for the upcoming SQ 10.3



This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.