Hello Community,
We’re excited to announce a significant enhancement to our secret detection capabilities that closes a common and critical security blind spot. Sonar now analyzes “dotfiles” and files located in “dot paths” for leaked secrets!
The Problem: Secrets Hiding in Plain Sight
In modern development, dotfiles are everywhere. Files like .env, .credentials, and .npmrc are routinely used to store environment variables and configuration settings. Similarly, dot paths like .github/workflows or .circleci/ are standard for CI/CD pipelines.
While convenient, these locations are a hotspot for hardcoded secrets: API keys, database passwords, and authentication tokens. A simple misconfiguration in a .gitignore file can cause these sensitive files to be accidentally committed to your repository, exposing them to anyone with access.
The Solution: No More Blind Spots
Sonar’s analysis engine now dives deep into these previously-ignored locations to find hardcoded credentials.
This means Sonar will raise issues for secrets found in files like:
.env.gitconfig.aws/credentials- And any file located within a directory like
.mozilla/firefox/.
Examples of What Sonar Can Now Find
Here are a couple of examples of the types of leaks Sonar will now detect:
1. Credentials in an .env file:
# .env
# Development environment variables
DATABASE_URL="postgres://user:password123@localhost:5432/mydb"
AWS_SECRET_ACCESS_KEY="kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb"
- A GitHub token hardcoded in a local
.gitconfig:
# ~/.gitconfig
[user]
name = Jane Doe
email = jane.doe@example.com
[github]
user = janedoe
token = ghp_x1y2z3a4b5c67890x1y2z3a4b5c67890abcd
This feature is available now. We encourage you to run a fresh analysis on your projects to benefit from this deeper level of protection.
Enjoy!
Alex