Secure code scanning for developers

Developer-first secrets detection across your workflow

SonarQube's secrets detection catches exposed code secrets, like passwords and access tokens, the moment they are written in your IDE or introduced at the pipeline stage. With actionable, in-context guidance, developers can remediate immediately, ensuring security and code quality are maintained at the speed of development.

CommencerContacter le service commercial
Secrets Detection
Advanced detection covers even more secrets patterns and cloud services
See More

What are secrets?

Secrets are high-value credentials, like passwords, API keys, and database tokens, hardcoded within your source code that, when exposed, will compromise a company's security. Exposed secrets can grant unauthorized access to systems and data, leading to breaches and compliance risks. Preventing exposure requires identifying and removing secrets early in development and ensuring they never reach source control.

Secrets consist of:

  • Passwords
  • API keys
  • Encryption keys
  • Tokens
  • Database credentials

Why are leaked secrets a critical business risk?

Leaked secrets are a severe security risk since they grant unauthorized access to secure systems and data. Attackers can pivot quickly, escalate privileges, and exfiltrate sensitive information using exposed tokens, keys, or credentials. Rapid detection and immediate rotation of affected secrets are critical to contain impact and restore a secure posture.

Secrets in your code repository:

  • Increases developer workload to find, fix, and push changes
  • Requires painful remediation by forcing rotation of keys, tokens, and passwords

Why are leaked secrets a critical business risk?

Leaked secrets are a severe security risk since they grant unauthorized access to secure systems and data. Attackers can pivot quickly, escalate privileges, and exfiltrate sensitive information using exposed tokens, keys, or credentials. Rapid detection and immediate rotation of affected secrets are critical to contain impact and restore a secure posture.

Secrets in your code repository:

  • Increases developer workload to find, fix, and push changes
  • Requires painful remediation by forcing rotation of keys, tokens, and passwords

How does secrets detection work?

SonarQube uses a powerful combination of Regular Expressions and Semantic Analysis to detect secrets in source code. We scan as you code in your IDE with SonarQube for IDE in a true shift left approach, unlike other secrets detection tools, which only detect secrets in Git repo. Because SonarQube can detect secrets in code while you write, secrets never enter your repository, eliminating leakage. This proactive coverage extends into the CI/CD pipeline with automated quality gates to prevent risky changes from merging.

Sonar’s secrets detection is…

  • POWERFUL

  • FAST

  • COMPLETE

  • ACCURATE

  • RELIABLE

  • OPEN SOURCE

  • FREE

POWERFUL

Sonar leverages the power of both RegEx and Semantic Analysis

  • Now with 340+ rules that cover 400+ secrets patterns
  • Detects secrets/tokens used in 248 cloud services
  • Semantic analysis checks covering 19 languages, including Java, C#, PHP, Python, and XML
  • Only Sonar covers 1000+ APIs with password or token arguments
  • Coverage of Infrastructure as Code (IaC) languages and files
  • Complete scanning of all file types in the repository

Keep your company-specific secrets from leaking in CI/CD

Publicly known secrets cover most of your secrets, but a good portion are company-specific secrets with a structure or format only your company knows. Create custom rules with SonarQube Server Enterprise Edition and Data Center Edition to detect your company’s private secret patterns and deliver the best secrets detection coverage, up to 100% of all your secrets.

pull request failed

Secrets detection: Comprehensive protection from IDE to CI/CD

SonarQube goes above and beyond by educating developers within‑IDE guidance and code scanning that pinpoints which code contains secrets in your CI/CD pipeline. Each secrets detection rule includes clear remediation content explaining why the found code segment is a secret and the security risk impact, supporting DevSecOps best practices and compliance. Now developers know how not to include secrets in their code with actionable, audit‑ready guidance and quality gates that prevent leaks before merge.

code report shows some issues with security and reliability

Try a better way to code

Prise en main de l’open sourceDécouvrez toutes les éditions
Accéder à la page d’accueil de SonarSource
  • Suivez SonarSource sur Twitter
  • Suivez SonarSource sur Linkedin
language switcher
Français (French)
  • Documentation juridique
  • Trust Center

© 2025 SonarSource Sàrl. Tous droits réservés. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD et CLEAN AS YOU CODE sont des marques déposées de SonarSource Sàrl.