Programming language you’re coding in: Python, Java.
Is connected mode used: SonarCloud
IDE: IntelliJ IDEA 2023.3.5 (Ultimate Edition)
There are several announcements that SonarLint will detect secrets, but when I tried it on our own code the secrets are never detected by SonarLint. I suspect it is because the security rules are now reported differently and SonarLint was not updated accordingly?
I won’t be able to investigate and I’ll let my colleagues do it. I want just to confirm that we built the Secret Detection feature first for SonarLint. Actually this feature was available in SonarLint before porting it to SonarQube and SonarCloud.
We strongly believe that Secrets leaking should be detected before being pushed to the repo because if that happens it’s too late.
If I clone the repo and duplicate that line locally, then SonarLint is ignoring it.
I updated the python file locally from:
"""This file is holding fake secrets for the purpose of detection by SonarLint."""
# Example fake key: from:
# https://community.sonarsource.com/t/sonarlint-for-intellij-5-1-released-aws-secrets-detection-and-other-improvements/46506
# Detected by SonarCloud:
KEY = "AKIAIGKECZXA7AEIJLMQ"
And added these lines:
# Sonar rule: python:InequalityUsage to trigger local SonarLint detection.
if 1 <> 2:
# Not detected by SonarLint
AWS_SECRET_KEY = "AKIAIGKECZXA7AEIJLMQ"
Analysing 'secrets.py'...
Found 1 issue and 0 hotspots
Did synchronize config scopes [/Users/stephane/repos/3rdparty/sonarlint-security-reproducer/.idea/misc.xml, b7d701ff-78ad-4592-9f21-439b21dbec41]
The debug logs link is for the VSCode plugin (I do not use VSCode), and the debug option is not available with the InteliJ plugin, so that’s all I can share here.
Hi @sodul, I can confirm this behavior is not correct. If you remove the connected mode, you should be able to see the issues raised. We are investigating why it is not raised in connected mode, and we will keep you updated.
