SonarLint doesn't detect hardcoded passwords

Please provide

  • Operating system: Win11
  • Visual Studio version: Microsoft Visual Studio Community 2022 (64-bit) - Current
    Version 17.8.7
  • SonarLint plugin version: 7.7.0.86423
  • Programming language you’re coding in: C#
  • Is connected mode used: No
    • Connected to SonarCloud or SonarQube (and which version):

And a thorough description of the problem / question:

SonarLint doesn’t detect hardcoded passwords like string password = “123abc”;

Hey there.

Did you check under Security Hotspots?

Hi Colin, thanks for getting back to me.

I did and nothing shows.

These are the dummy password strings I tested:


string secret = "9rtYl+xkdUhKFuOnnUuBRlqSidexGSq5WlL+NBwu";

string password = "srfgvngn";

string pwd = "ëfnrgnrjgn";

string secret = "effgvrgvv";

string awsSecret = "AKIAIMNOJVGFDXXXE4OA";

Only the latter was detected.

Please note that I’m not running in connected mode. Will connected mode provide detection for the other examples?

Kind regards,

Michael

Reporting security hotspots does require being bound to a SonarQube/SonarCloud project in connected mode.

I Understand, but why was the last secret detected without using security hotspots? Does connected mode offer the advantage that all secrets get detected? That’s my question.