SonarCloud vs MSCA

Does SonarCloud covers the same static code scanning capabilities of the Microsoft Security Code Analysis(MSCA)?
Examples of MSCA toolset:

  • Credential Scanner: a proprietary Microsoft tool that helps detect credentials, secrets, certificates, and other sensitive content in your source code and build output.
  • Roslyn Analyzer: Microsoft’s compiler integrated static analysis tool for analyzing managed code (C# and VB)

Hey there –

SonarCloud has some fairly rudimentary rules in this respect (Hard-coded credentials are security-sensitive) with aims to improve this in the future (MMF-1932 - Enhanced hard-coded credentials detection).

Roslyn is at the core of our C# analyzers (it’s what they are built on!) and issues from other Roslyn analyzers are automatically imported to SonarCloud during analysis.

Thanks Colin for the clarification.

Could you share some of these rules in SonarCloud that helps in identifying hard-coded credentials?

When I said rules, maybe I oversold it. SonarCloud has the one rule, which I already linked!

No worries… thanks Colin.
Does SonarCloud scan the libraries/opensource that the application leverage?

SonarCloud does not track the libraries that are included in a project – we leave SCA (Software Component Analysis) to those who do it best (like our friends at Snyk or WhiteSource)!