Secrets
Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarQube Community Build detects exposed Secrets in all files processed by the language analyzers and in all files configured through the sonar.text.inclusions property.
Secrets analysis is available starting in the SonarQube Community Build.
Configuring secret-specific parameters (general procedure)
Discover and update the secret-specific parameters in Administration > Configuration > General Settings > Languages > Secrets
Adjusting the secret detection scope
By default, SonarQube Server and SonarQube Community Build detect exposed secrets in all files processed by the language analyzers. You can refine the scope of the secret detection by:
- Adding files based on path-matching patterns.
- Adjusting the binary file exclusion setup.
Adding files based on path-matching patterns
If you’re using a git repository, you can add files to the secret detection scope by defining path-matching patterns: the files matching the patterns will be included provided they are tracked by git.
If the analysis is executed on a UNIX environment, files and directories starting with a dot are not analyzed since such files are treated as hidden in UNIX systems.
To add additional files to the secret detection:
- In the SonarQube Community Build UI:
- For a global configuration: go to Administration > Configuration > General Settings > Languages > Secrets
- For a project-level configuration: open your project page and go to Project Settings > General Settings > Languages > Secrets
- Enable the Activate inclusion of custom file path patterns option.
- In the List of file path patterns to include, adjust the default path-matching patterns if necessary (see Wildcard patterns on the Analysis scope page).
Alternatively, configure the parameters listed below on the CI/CD host (see Analysis parameters for more information).
| Property | Description |
|---|---|
sonar.text.inclusions.activate | Enables the inclusion of files to the secret detection according to the path-matching patterns defined in sonar.text.inclusions. |
sonar.text.inclusions | Comma-separated list of path-matching patterns. Possible values: A path can be relative (to the Default value: **/*.sh,**/*.bash,**/*.zsh,**/*.ksh,**/*.ps1,**/*.properties, **/*.conf,**/*.pem,**/*.config,.env,.aws/config |
Adjusting the binary file exclusion setup
SonarQube Server and SonarQube Community Build exclude binary files from the analysis. In case binary file types are still included in your analysis, you can exclude these additional files.
To do so:
- In the SonarQube Server and SonarQube Community Build UI,
- For a global configuration: go to Administration > Configuration > General Settings > Languages > Secrets.
- For a project-level configuration: open your project page and go to Project Settings > General Settings > Languages > Secrets.
- In Additional binary file suffixes, enter the list of suffixes to be excluded.
Alternatively, configure the parameter below on the CI/CD host (see Analysis parameters for more information).
| Property | Description |
|---|---|
sonar.text.excluded.file.suffixes | Comma-separated list of additional binary file suffixes to be excluded. |
Defining custom secret patterns
The custom secret patterns feature is available starting in SonarQube Server Enterprise Edition.
Related pages
- Adding coding rules
- Secrets rules for static code analysis
- Analysis scope - "Setting the secrets detection scope" section.
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
