SonarCloud Secrets Quality Profile


We are trying to use Secrets - Quality Profile but we did not manage to use it, I was wondering if some configuration needs to be made:

We’re using
-Azure DevOps
-C# .NET project

in Project → Information we have C#, Docker and JSON as Quality Profiles Used, but we cannot trigger Secrets quality profile, can you please help with guidelines in using this quality profile?


Welcome to the community!

Take a look at Administration → Languages → Secrets. Is Secrets analysis activated? Check the file path patterns. Do they include your files of interest?


1 Like

Hi Ann,
Thank you for the warm welcome!
Yes, I activated the Secrets Analysis and I am not sure if I need to set in another place something additional to use this quality profile or if I need to pass additional parameters before scanning?


You activated it. Did you add your file extensions to the list of extensions secrets analysis should pay attention to? It’s on that same page, just scroll down.


1 Like

Yes, I created a branch based on main branch, with a file with an extension from that list and put some secrets on it to be scanned in order to trigger it, but I did not manage to do that.


Thanks for that detail. I’ve flagged this for more expert eyes.


1 Like

Hi @Amelia_Gherdan

Thanks for reporting this issue. Here I quickly verified that detecting secrets is working:

I need more information to find the issue. Could you send me logs from your build, please? (It can be a private message).

Marcin Stachniuk

Hi Marcin, thank you for your reply.
Can you please tell me where I can send a private message? E-mail?
Thank you

After private conversation we determined the following facts:

  • the file containing a secret was: src/deploy.ps1
  • the secret didn’t implement any of the supported secrets

The answer:

  1. The secret didn’t match any of our supported secrets. There is a way to implement custom secrets, but it is only available in SonarQube Enterprise Edition (and higher).
  2. We don’t support PowerShell scripts and by default secret detection is only executed on files that are analyzed by other analyzers. You can include *.ps1 and other files by setting the property sonar.text.inclusions, see: Secrets configuration.



This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.