Sonar Secrets Plugins Support for SonarQube 9.9 LTS

manishk · October 4, 2023, 2:56pm

Hello Team,

We are upgrading SonarQube from v8.9 to v9.9 LTS.
Due to Java version incompatibility, we discovered that the following plugins are not supported in the SonarQube 9.9 version.

sonar-secrets-java-1.3.0
sonar-secrets-javascript-1.3.0

Plugin Reference: GitHub - Skyscanner/sonar-secrets: SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..

Has anyone experienced a similar problem? If so, does anyone have a solution or advice?
Thank you!

ganncamp · October 5, 2023, 5:40pm

Hi,

SonarQube offers secrets detection out of the box, and with 10.2 that functionality leapt forward. Are you sure you really still need the plugin?

Ann

ganncamp · October 5, 2023, 6:06pm

Hi,

This announcement was posted before my earlier answer^ but I just now noticed it:

HTH,
Ann

owais · October 18, 2023, 10:53am

Hi Ann,

In 9.9 LTS I see only 5 rules related to secrets. Do I need to upgrade to get the 60+ rules?

ganncamp · October 18, 2023, 1:25pm

Hi @owais,

Welcome to the community!

Yes, to get the latest rules you’ll need to upgrade to the latest version.

Although to be clear, SonarQube 10.2 doesn’t have all those rules. They’ll be available in 10.3, E.T.A. early November.

Ann

owais · October 18, 2023, 1:54pm

Thank you for the prompt response. Could you also confirm out of these 100+ rules, if there are any rules for flagging Private Keys, High Entropy String, Hardcoded Password and Hardcoded API Keys used in code

ganncamp · October 18, 2023, 1:59pm

Hi,

You can get the full rule list here:

HTH,
Ann

owais · October 18, 2023, 2:06pm

Could you let me know when this list will be updated with all the upcoming rules? Or if there is a separate link for it?

ganncamp · October 18, 2023, 2:39pm

Hi,

That’s the full list.

Ann

owais · October 18, 2023, 2:59pm

Got it, thank you.

Raja_sekhar1 · June 12, 2024, 6:21am

Hi

I was trying to build the Sonar Secret plugin using the official code from GitHub. I want to move those jars to my local Sonar instance (I am not using SonarCloud). Is it possible to download the plugins directly without building my own jars of Sonar Secret? I am facing build issues and compilation errors.

Thanks
Rajasekhar

Raja_sekhar1 · June 12, 2024, 6:22am

I am using version 9 of SonarQube in my local instance.

ganncamp · June 12, 2024, 11:29am

Hi @Raja_sekhar1,

Welcome to the community!

This thread is 8 months old. Normally I’d ask you to create a new one. However, this time the answer is easy. SonarQube 9.0 is well past EOL. The analyzer you build from sources will not be compatible with 9.0. You should upgrade to either the latest version or the current LTA (long-term active version) at your earliest convenience. Your upgrade path is:

9.0 → 9.9.5 → 10.5.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

Once you’ve upgraded, you’ll find secrets detection is included out of the box.

HTH,
Ann

Topic		Replies	Views
Sonar can detect 110 secret patterns across 60 cloud providers Sonar Updates security , secrets	2	1166	November 8, 2023
Unable to enable secrets in the community edition SonarQube Server / Community Build	5	41	January 13, 2025
Custom rules 101, update for Sonarqube latest (9.5.0) !? Plugin Development	2	967	July 28, 2022
Secret detection not finding problems on Dockerfile SonarQube Server / Community Build secrets	3	15	April 3, 2025
Sonar can detect 300+ secret patterns Sonar Updates secrets	0	123	April 1, 2025

Sonar Secrets Plugins Support for SonarQube 9.9 LTS

Related topics