SonarLint doesn't detect hardcoded passwords

Please provide

  • Operating system: Win11
  • Visual Studio version: Microsoft Visual Studio Community 2022 (64-bit) - Current
    Version 17.8.7
  • SonarLint plugin version: 7.7.0.86423
  • Programming language you’re coding in: C#
  • Is connected mode used: No
    • Connected to SonarCloud or SonarQube (and which version):

And a thorough description of the problem / question:

SonarLint doesn’t detect hardcoded passwords like string password = “123abc”;

Hey there.

Did you check under Security Hotspots?

Hi Colin, thanks for getting back to me.

I did and nothing shows.

These are the dummy password strings I tested:


string secret = "9rtYl+xkdUhKFuOnnUuBRlqSidexGSq5WlL+NBwu";

string password = "srfgvngn";

string pwd = "ëfnrgnrjgn";

string secret = "effgvrgvv";

string awsSecret = "AKIAIMNOJVGFDXXXE4OA";

Only the latter was detected.

Please note that I’m not running in connected mode. Will connected mode provide detection for the other examples?

Kind regards,

Michael

Reporting security hotspots does require being bound to a SonarQube/SonarCloud project in connected mode.

I Understand, but why was the last secret detected without using security hotspots? Does connected mode offer the advantage that all secrets get detected? That’s my question.

Hey @MichaelMorozovCodit

Sorry for the late answer, but I wanted to mention this here in case it helps somebody else:

Your first four examples would be highlighted by the Security Hotspot rule Hard-coded credentials are security-sensitive.

This is a pretty crude rule with a hard-coded list of variable names. There are a lot of false positives, and typically these require review.

On the other hand, this example is definitely an issue, not on the variable name but actually the pattern of the secret itself. This is a clear security issue (not a “maybe” security issue), and is raised by Amazon Web Services credentials should not be disclosed