admin管理员组文章数量:1432602
I was checking sonarqube community edition 25.3.0 on macos x86_64 and found that secret detection does not work . can someone please clarify if secret detection is available in community edition ? if not, could someone guide me on which edition i would need to access this feature ? I have properly enabled quality quality profile for my project but still sonar-scanner does not detect these vulnerabilities. if we define sensitive content inside ini files . it only detects as part of the python code. I want to understand , can it detect secret content in other file types like ini, pem, property files etc
Seems SonarQube CE does not natively support secret detection in non-code files like ini, config, pem, or property files. It can detect hardcoded sensitive strings (e.g., PASSWORD, API_KEY) in code files for certain languages, but this is limited to specific patterns and language-specific rules. After reviewing SonarQube’s documentation, it appears that custom patterns/sensitive data detection in text-based configuration files might not be supported in the Sonarqube Community Edition. I have posted question in sonar community as well.
[dev]
password = test
username = test
it detects in below python code but not in above config file
import os
API_KEY = "test"
def aws_connect():
password = "test"
db_password = "test@12"
github_token = "test"
aws_access_key = "AKIASSEXAMPLEHHHH123LLL"
aws_secret_key = "whhaKajjLajjKKjajj"
print("Aws details",aws_access_key)
return aws_access_key,aws_secret_key
DB_PASS = "test"
SECRET_TOKEN = "SG"
CONFIG = "OCI"
def get_token():
config_value = "test123"
return config_value
if __name__ == "__main__":
aws_connect()
print("DB_PASS", DB_PASS)
本文标签:
版权声明:本文标题:security - Secret detection does not work with sonarqube community edition 25.3.0 on macos x86_64 for file type ini, config, pem 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744636801a2616870.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论