SonarCloud can find hard-coded passwords on known APIs taking passwords as parameter

Hello PHP developers,

We’ve made an update to the PHP analyzer, enabling it to detect when a hard-coded string is passed as a parameter to a function that is specifically designed to receive passwords or tokens as input.
This is another layer added towards our goal of helping you eliminate secrets from your code.

This new feature is provided by the following rule:

  • S6437: Credentials should not be hard-coded

This rule complements the existing features dedicated to secrets detection for PHP: