I have a similar problem with SonarQube version 9.9 LTS which I recently upgraded to from version 8.9.
Vulnerabilities that correspond to the secret quality profile have been detected in several projects, but I see the following that I don’t know if it’s correct:
No project has been assigned the quality profile of secrets
In the quality profiles section, it appears that the profile has never been used
In the configuration you are showing, the Quality Profile that will be used by DEFAULT will be “AppSec-2023”. You don’t need to assign it explicitly to all your projects, it will be picked-up automatically.
For Secrets, there is actually no real use case to have a custom Quality Profile, I would recommend you to rely on the “Sonar Way” one and keep it the DEFAULT so that when you upgrade, you get access to all the secret patterns we cover.
I checked the latest version of SonarQube 10.2 that we are running internally and it has the same behavior as you with this “Never”.
I believe we have a limitation due to the fact that Secrets are searched in all files that are scanned by other analyzers and somehow we can’t get that it was used.
