I have SonarCloud setup to run against a test ASP.NET MVC application. I have intentionally added a hard-coded password to see if the scan would pick it up.
SonarCloud Project Dashboard: https://sonarcloud.io/dashboard?id=Trey-Gourley_sonarcloudtest
In the C# Program.cs source file, I added a line of code:
string password = "this_should_not_be_here"
I was hoping it would get caught by the security rule “Credentials should not be hard-coded” https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-2068
It caught a couple of code smells in the Program.cs file (and one bug in the project), but it didn’t catch that error. It also didn’t show that it skipped that line either (though there were a couple of other lines that were skipped by the scan.)