The Java analyzer detect secrets hidden in your Java files

Hello Java developers,

We used to have a rule (S2068) detecting hard-coded credentials in your Java files. While being good, this rule was only focusing by default on “passwords” and it was recommended to configure it to detect more such as secrets.
We realized that not a lot of users were doing the effort to customize the rule, and because we want you to get the best of our rules out of the box we decided to do the following changes:

  • S2068 is now dedicated to finding hard-coded passwords
  • a new rule S6418 was introduced to focus on detecting hard-coded secrets

The new rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded secret is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed.

These two rules are enabled by default and the results are visible on the Security Hotspots page.
They are available now on and will be part of SonarQube 9.5.