This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

See latest version
Start Free
10.2 | Analyzing source code | Languages | Secrets

Was this page helpful?

Secrets

On this page

Configuring secret-specific parameters (general procedure) Adjusting the secret detection scope Related pages

Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. 

Secrets analysis is available starting in Community Edition.

Configuring secret-specific parameters (general procedure)

Discover and update the secret-specific parameters in Administration > Configuration > General Settings > Languages > Secrets. 

Adjusting the secret detection scope

By default, SonarQube detects exposed secrets in all files processed by the language analyzers. You can refine the scope of the secret detection by:

  • Adding files based on path-matching patterns.
  • Adjusting the binary file exclusion setup.

Adding files based on path-matching patterns

If you’re using a git repository, you can add files to the secret detection scope by defining path-matching patterns: the files matching the patterns will be included provided they are tracked by git.

To add additional files to the secret detection:

  1. In the SonarQube UI:
    • For a global configuration: go to Administration > Configuration > General Settings > Languages > Secrets.
    • For a project-level configuration: open your project page and go to Project Settings > General Settings > Languages > Secrets.
  2. Enable the Activate inclusion of custom file path patterns option.
  3. In the List of file path patterns to include, adjust the default path-matching patterns if necessary (see Wildcard patterns in Analysis scope).

Alternatively, configure the parameters listed below on the CI/CD host (see Analysis parameters for more information).

PropertyDescription
sonar.text.inclusions.activateEnables the inclusion of files to the secret detection according to the path-matching patterns defined in sonar.text.inclusions.
sonar.text.inclusions

Comma-separated list of path-matching patterns.

Possible values: A path can be relative (to the sonar.projectBaseDir property, which is by default the directory from which the analysis was started) or absolute. 

Default value: **/*.sh,**/*.bash,**/*.zsh,**/*.ksh,**/*.ps1,**/*.properties, **/*.conf,**/*.pem,**/*.config,.env,.aws/config

Adjusting the binary file exclusion setup

SonarQube excludes binary files from the analysis. In case binary file types are still included in your analysis, you can exclude these additional files.

To do so:

  1. In the SonarQube UI, 
    • For a global configuration: go to Administration > Configuration > General Settings > Languages > Secrets.
    • For a project-level configuration: open your project page and go to Project Settings > General Settings > Languages > Secrets.
  2. In Additional binary file suffixes, enter the list of suffixes to be excluded.

Alternatively, configure the parameter below on the CI/CD host (see Analysis parameters for more information).

PropertyDescription
sonar.text.excluded.file.suffixesComma-separated list of additional binary file suffixes to be excluded.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License