We are thrilled to announce that we have continued our commitment to helping developers write code that is responsible and trustworthy. We are excited to share that we have made a significant investment in Secret Detection.
With this latest update, Sonar can now detect 67 secret patterns across 29 cloud providers. This means that Sonar is now more powerful in identifying potential security vulnerabilities related to secrets and sensitive information.
I won’t list like we usually do all the secret patterns, because it will be too much. If you are interested in the details, please have a look at https://rules.sonarsource.com/secrets/.
This was made possible by rewriting the Sonar secret detection engine with a new approach which allowed us to cover more quickly than before new secret patterns. The engine is open-source and the yaml files defining the secret patterns are also open-source.
We know that our community is filled with amazing individuals, and we understand that you may be tempted to contribute to our efforts. We greatly appreciate your enthusiasm and support! However, we want to be transparent about our internal plans to expand our coverage even further in the near future. If you are interested in contributing, we would love to hear from you about the specific types of secrets you would like to see covered sooner rather than later.
In the next phase, we will be fully open to receiving pull requests (PRs) from the community. To facilitate this process, we will provide dedicated documentation to guide you through the contribution process.
Last, I would like to thank all the people who already discovered these rules on SonarCloud and provided feedback: the Django Secret Key rule is noisy, we know it and we will fix it soon on SonarCloud.