Sonar now analyzes YAML and JSON files for secrets

Hello Community,

We’re excited to announce a significant enhancement to our secret detection capabilities: Sonar now analyzes YAML and JSON files for leaked secrets!

The Problem

YAML and JSON files are widely used to configure and deliver software. It’s easy to accidentally paste a secret into these files, which can then be pushed to your repository.

The Solution

Sonar’s analysis engine now scans YAML and JSON files to detect leaked secrets.

image4190×1960 451 KB

How to Use

Because YAML and JSON files are very common, this feature is not activated by default. You can enable it on demand by setting the following properties:

sonar.yaml.activate=true
sonar.json.activate=true

Once these properties are provided to the Scanner, YAML and JSON files will be included in the analysis, currently only when using the Scanner CLI. We are working to update our other Scanners to support this feature seamlessly.

Subscription Impact:

Because Sonar now scans YAML and JSON files, the lines of code (LOCs) in these files will be counted and will contribute to the total LOCs consumed under your subscription.

This enhancement is available now on SonarQube Cloud. We encourage you to run a fresh analysis on your projects to benefit from this extra level of protection.

Enjoy!
Alex

A post was split to a new topic: Support of YAML/JSON by the Azure DevOps SonarCloud extension?

Hi @Alexandre_Gigleux

Great stuff! Do you have any ETA for the DOTNET scanner?

Also what version of SonarQube Server and what version of the CLI scanner are required for this to work?

thanks

Tony

Hello,

You need SonarQube Server 2025.4

For the Scanner CLI, there is no specific version required.

Alex

Thanks Alex - I am guessing the DOTNET version is similar to my question elsewhere - you have no ETA for this?

Though if no specific version of the CLI scanner is required to support ti then why is it limited to the CLI scanner at the moment and you need to work on updating the other ones?

thanks

Tony