We are upgrading SonarQube from v8.9 to v9.9 LTS.
Due to Java version incompatibility, we discovered that the following plugins are not supported in the SonarQube 9.9 version.
GitHub - Skyscanner/sonar-secrets: SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..
Has anyone experienced a similar problem? If so, does anyone have a solution or advice?
SonarQube offers secrets detection out of the box, and with 10.2 that functionality leapt forward. Are you sure you really still need the plugin?
This announcement was posted before my earlier answer^ but I just now noticed it:
I’m back with some news about our Secret Detection feature. We made an update to support more secret patterns and we crossed the symbolic number of 100 secret patterns covered by
60 rules. To be precise, it’s now 110 secret patterns that SonarCloud supports. Around the end of October, this feature will be also available for SonarQube users with the v10.3
Last, SonarLint users will be able to detect these secrets before they even leak into a Git repository. It’s just a matter of…
In 9.9 LTS I see only 5 rules related to secrets. Do I need to upgrade to get the 60+ rules?
Welcome to the community!
Yes, to get the latest rules you’ll need to upgrade to the latest version.
Although to be clear, SonarQube 10.2 doesn’t have all those rules. They’ll be available in 10.3, E.T.A. early November.
Thank you for the prompt response. Could you also confirm out of these 100+ rules, if there are any rules for flagging Private Keys, High Entropy String, Hardcoded Password and Hardcoded API Keys used in code
You can get the full rule list here:
Could you let me know when this list will be updated with all the upcoming rules? Or if there is a separate link for it?