# Secrets

Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only.

Secrets analysis is available starting in [Community Edition](https://www.sonarsource.com/open-source-editions/sonarqube-community-edition/).

## Configuring secret-specific parameters (general procedure) <a href="#language-specific-properties" id="language-specific-properties"></a>

Discover and update the secret-specific [Analysis parameters](/sonarqube-server/10.2/analyzing-source-code/analysis-parameters.md) in **Administration** > **Configuration** > **General Settings** > **Languages** > **Secrets**.

## Adjusting the secret detection scope <a href="#detection-scope" id="detection-scope"></a>

By default, SonarQube detects exposed secrets in all files processed by the language analyzers. You can refine the scope of the secret detection by:

* Adding files based on path-matching patterns.
* Adjusting the binary file exclusion setup.

### Adding files based on path-matching patterns <a href="#adding-files-based-on-pathmatching-patterns" id="adding-files-based-on-pathmatching-patterns"></a>

If you’re using a git repository, you can add files to the secret detection scope by defining path-matching patterns. The files matching the patterns will be included, *provided they are tracked by git*.

{% hint style="warning" %}
If the analysis is executed on a UNIX environment, files and directories starting with a dot are not analyzed since such files are treated as hidden in UNIX systems.
{% endhint %}

To add additional files to the secret detection:

1. In the SonarQube UI:
   * For a global configuration: go to **Administration > Configuration > General Settings > Languages > Secrets**.
   * For a project-level configuration: open your project page and go to **Project Settings > General Settings > Languages > Secrets**.
2. Enable the **Activate inclusion of custom file path patterns** option.
3. In the **List of file path patterns to include**, adjust the default path-matching patterns if necessary (see **Wildcard patterns** in [Analysis scope](/sonarqube-server/10.2/project-administration/analysis-scope.md)).

Alternatively, configure the parameters listed below on the CI/CD host (see [Analysis parameters](/sonarqube-server/10.2/analyzing-source-code/analysis-parameters.md) for more information).

| **Property**                     | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `sonar.text.inclusions.activate` | Enables the inclusion of files to the secret detection according to the path-matching patterns defined in `sonar.text.inclusions`.                                                                                                                                                                                                                                                                                                                                                                                                             |
| `sonar.text.inclusions`          | <p>Comma-separated list of path-matching patterns.</p><p><strong>Possible values:</strong> A path can be relative (to the <code>sonar.projectBaseDir</code> property, which is by default the directory from which the analysis was started) or absolute.</p><p><strong>Default value</strong>: <strong>/</strong><em><strong>.sh,</strong>/.bash,\*\*/.zsh,<strong>/</strong></em><strong>.ksh,</strong>/<em>.ps1,<strong>/</strong></em><strong>.properties, /\*.conf,/</strong><em><strong>.pem,</strong>/</em>.config,.env,.aws/config</p> |

### Adjusting the binary file exclusion setup <a href="#adjusting-the-binary-file-exclusion-setup" id="adjusting-the-binary-file-exclusion-setup"></a>

SonarQube excludes binary files from the analysis. In case binary file types are still included in your analysis, you can exclude these additional files.

To do so:

1. In the SonarQube UI,
   * For a global configuration: go to **Administration** > **Configuration** > **General Settings** > **Languages** > **Secrets**.
   * For a project-level configuration: open your project page and go to **Project Settings** > **General Settings** > **Languages** > **Secrets**.
2. In **Additional binary file suffixes**, enter the list of suffixes to be excluded.

Alternatively, configure the parameter below on the CI/CD host (see [Analysis parameters](/sonarqube-server/10.2/analyzing-source-code/analysis-parameters.md) for more information).

| **Property**                        | **Description**                                                         |
| ----------------------------------- | ----------------------------------------------------------------------- |
| `sonar.text.excluded.file.suffixes` | Comma-separated list of additional binary file suffixes to be excluded. |

## Related pages <a href="#related-pages" id="related-pages"></a>

* [Adding coding rules](/sonarqube-server/10.2/extension-guide/adding-coding-rules.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/10.2/analyzing-source-code/languages/secrets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.