SonarLint not detecting secrets

  • Operating system: macOS 14.4.1
  • SonarLint plugin version:
  • Programming language you’re coding in: Python, Java.
  • Is connected mode used: SonarCloud
  • IDE: IntelliJ IDEA 2023.3.5 (Ultimate Edition)

There are several announcements that SonarLint will detect secrets, but when I tried it on our own code the secrets are never detected by SonarLint. I suspect it is because the security rules are now reported differently and SonarLint was not updated accordingly?

I tested the example from this announcement: SonarLint for IntelliJ 5.1 released - AWS secrets detection and other improvements

And there was no detection from SonarLint. I tested with ssh private keys and other secrets and nothing showed up locally.

It is a very important feature because ideally we want secrets to be detected before they are committed and pushed to origin.

1 Like


I won’t be able to investigate and I’ll let my colleagues do it. I want just to confirm that we built the Secret Detection feature first for SonarLint. Actually this feature was available in SonarLint before porting it to SonarQube and SonarCloud.

We strongly believe that Secrets leaking should be detected before being pushed to the repo because if that happens it’s too late.

Can you provide a reproducer and the debug logs?


I’ve created a dummy public repo and confirmed that SonarCloud is detecting the fake AWS key:

If I clone the repo and duplicate that line locally, then SonarLint is ignoring it.

I updated the python file locally from:

"""This file is holding fake secrets for the purpose of detection by SonarLint."""

# Example fake key: from:

# Detected by SonarCloud:

And added these lines:

# Sonar rule: python:InequalityUsage to trigger local SonarLint detection.
if 1 <> 2:
    # Not detected by SonarLint

And this is what SonarLint is showing:

The Log tab has:

Analysing ''...
Found 1 issue and 0 hotspots
Did synchronize config scopes [/Users/stephane/repos/3rdparty/sonarlint-security-reproducer/.idea/misc.xml, b7d701ff-78ad-4592-9f21-439b21dbec41]

The debug logs link is for the VSCode plugin (I do not use VSCode), and the debug option is not available with the InteliJ plugin, so that’s all I can share here.

For completeness screenshots of the other tabs:

Hi @sodul, I can confirm this behavior is not correct. If you remove the connected mode, you should be able to see the issues raised. We are investigating why it is not raised in connected mode, and we will keep you updated.

Hello @sodul,

We going to fix it before the next release of SonarLint. Here’s the ticket for this problem.


1 Like