Sonar can detect 110 secret patterns across 60 cloud providers

Dear Community,

I’m back with some news about our Secret Detection feature. We made an update to support more secret patterns and we crossed the symbolic number of 100 secret patterns covered by 60 rules. To be precise, it’s now 110 secret patterns that SonarCloud supports. Around the end of October, this feature will be also available for SonarQube users with the v10.3
Last, SonarLint users will be able to detect these secrets before they even leak into a Git repository. It’s just a matter of days before you can upgrade your SonarLint to get it.

We started to look at what you think about the issues raised by these secret rules since the feature was enabled last week on SonarCloud. So far, so good. The False-Positive Rate is on average very low at around 3%.
Still, we identified some rules that you don’t like and you are right. In particular, the rule S6697 (“MySQL database passwords should not be disclosed”), is not performing well, especially on test files. In general, we will have to adjust the behavior of a couple of rules on test files. This is already something we are working on and we want to thank you for your feedback and patience.
On the same topic, our rules wrongly identify placeholders as hard-coded tokens whereas these placeholders are used for legitimate purposes, such as retrieving tokens from a vault. This is something we will also adjust soon.

As always, your feedback is a gift, so don’t hesitate to get in touch and share your thoughts.

Enjoy!
Alex

6 Likes

Thanks @Alexandre_Gigleux. I am trying to find some good documentation on Secret Detection in the docs and not finding anything.

Specifically I’m looking how to denote a secret is an example in a test file. Our developers are getting findings in Go tests and it’s becoming disruptive, we are on SonarQube 10.2.1.

Thanks!

1 Like

We considered the feedback related to test files and we implemented a couple of fixes. You will get them with the upcoming SonarQube 10.3.

2 Likes