2

We are moving from SonarQube to SonarCloud. In SonarQube we are using Sonar Secrets plugin

With the standard built in profiles we couldn´t find hardcodede secrets that we found with this plugin.

Now I am not sure what we can do to check for hardcoded secrets in SonarCloud. I couldn´t find the way to install plugins and it looks like this plugin is only compatible with the community version.

Could anybody recommend a way to deal with thi?

Olga
  • 73
  • 1
  • 8
  • In the "Vulnerability" or "security hotspot" section there is a rule for "Hard-coded credentials are security-sensitive". Does this suffice? – Lonzak Sep 17 '20 at 06:44
  • I have tested the same repository with standard rules and with SonarSecrets plugin. Standard rules hadn't detected the credentials/tokens/api keys that I have hardcoded. From what i have seen, they cannot wouldn't find much, unless you explicitely write "password". – Olga Oct 01 '20 at 09:42
  • In the existing sonar rule you are able to specify your own keywords. So just add yours. By default the following are checked: `password,passwd,pwd,passphrase,java.naming.security.credentials` So add `token, api key` and so on – Lonzak Oct 01 '20 at 10:02
  • 1
    it's more than just keywords, I am talking about something more complex like rules from this plugin https://github.com/Skyscanner/sonar-secrets/tree/master/javascript/src/main/java/org/sonar/skyscanner/javascript/checks – Olga Oct 14 '20 at 07:51

0 Answers0