Secrets
Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarQube Community Build detects exposed Secrets in all files processed by the language analyzers and in all files configured through the sonar.text.inclusions property.
This page explains how to configure the secret-specific parameters and to adjust the secret detection scope.
From SonarQube Server Enterprise Edition, you can define custom rules based on your own secret patterns in order to detect secrets that are specific to your company. For more information, see SonarQube Server documentation.
Configuring secret-specific parameters (general procedure)
Discover and update the secret-specific parameters in Administration > Configuration > General Settings > Languages > Secrets
Adjusting the secret detection scope
By default, SonarQube Server and SonarQube Community Build detect exposed secrets in all files processed by the language analyzers. You can refine the scope of the secret detection by:
- Adding files based on path-matching patterns.
- Adjusting the binary file exclusion setup.
Adding files based on path-matching patterns
If you’re using a git repository, you can add files to the secret detection scope by defining path-matching patterns: the files matching the patterns will be included provided they are tracked by git.
If the analysis is executed on a UNIX environment, files and directories starting with a dot are not analyzed since such files are treated as hidden in UNIX systems.
To add additional files to the secret detection:
- In the SonarQube Community Build UI:
- For a global configuration: go to Administration > Configuration > General Settings > Languages > Secrets
- For a project-level configuration: open your project page and go to Project Settings > General Settings > Languages > Secrets
- Enable the Activate inclusion of custom file path patterns option.
- In the List of file path patterns to include, adjust the default path-matching patterns if necessary (see Defining path-matching patterns).
Alternatively, configure the parameters listed below on the CI/CD host (see Analysis parameters for more information).
| Property | Description |
|---|---|
sonar.text.inclusions.activate | Enables the inclusion of files to the secret detection according to the path-matching patterns defined in sonar.text.inclusions. |
sonar.text.inclusions | Comma-separated list of path-matching patterns. Possible values: A path can be relative (to the Default value: **/*.sh,**/*.bash,**/*.zsh,**/*.ksh,**/*.ps1,**/*.properties, **/*.conf,**/*.pem,**/*.config,.env,.aws/config |
Adjusting the binary file exclusion setup
SonarQube Server and SonarQube Community Build exclude binary files from the analysis. In case binary file types are still included in your analysis, you can exclude these additional files.
To do so:
- In the SonarQube Server and SonarQube Community Build UI,
- For a global configuration: go to Administration > Configuration > General Settings > Languages > Secrets.
- For a project-level configuration: open your project page and go to Project Settings > General Settings > Languages > Secrets.
- In Additional binary file suffixes, enter the list of suffixes to be excluded.
Alternatively, configure the parameter below on the CI/CD host (see Analysis parameters for more information).
| Property | Description |
|---|---|
sonar.text.excluded.file.suffixes | Comma-separated list of additional binary file suffixes to be excluded. |
Related pages
- Adding coding rules
- Secrets rules for static code analysis
- Adjusting the secret detection scope
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
