I have a pull request for Terraform that is getting (correctly) flagged with secrets:S6995 (aka Secrets static code analysis) because there are Splunk tokens in a new .tf file.
I was a bit surprised though, as this project has other Splunk tokens that aren’t being flagged. The difference is those are defined in .tfvars files. This feels like a bug that SonarQube is not scanning the .tfvars files and is then missing the opportunity to highlight other tokens that may have been commited to source control.
If the analysis is executed on a UNIX environment, files and directories starting with a dot are not analyzed since such files are treated as hidden in UNIX systems.
I agree it doesn’t make a lot of sense these files get ignored for secerts scanning, but it’s baked into our analysis engine to ignore these files. I will however flag this for attention as we ought to have a better answer for this.
To clarify when I said .tfvars files, I was just referring to the file suffix. The files are named typically “environment.auto.tfvars” so they shouldn’t be excluded by the dot rule.
The *.tfvars files are not scanned because, as you correctly found in another thread, the Terraform analyzer does not support them. If you like to detect secrets in *.tfvars files, you can configure sonar.text.inclusions property and add **/*.tfvars to the current value.
A link to the documentation: Secrets | SonarQube Server Documentation