Weird data on the Secrets Quality Profile

Hi Nils,

I have a similar problem with SonarQube version 9.9 LTS which I recently upgraded to from version 8.9.

Vulnerabilities that correspond to the secret quality profile have been detected in several projects, but I see the following that I don’t know if it’s correct:

  • No project has been assigned the quality profile of secrets

  • In the quality profiles section, it appears that the profile has never been used

  • When analyzing the projects, any of them, the quality profile of secrets is not used, which I would expect will apply to all projects.

Is it necessary to manually assign this quality profile to each project?

I hope you can help me with these questions.


In the configuration you are showing, the Quality Profile that will be used by DEFAULT will be “AppSec-2023”. You don’t need to assign it explicitly to all your projects, it will be picked-up automatically.
For Secrets, there is actually no real use case to have a custom Quality Profile, I would recommend you to rely on the “Sonar Way” one and keep it the DEFAULT so that when you upgrade, you get access to all the secret patterns we cover.

I checked the latest version of SonarQube 10.2 that we are running internally and it has the same behavior as you with this “Never”.

I believe we have a limitation due to the fact that Secrets are searched in all files that are scanned by other analyzers and somehow we can’t get that it was used.