ADVANCED SECRETS DETECTION

is your source code leaking secrets?

Secrets in your source code, when leaked, expose you to a security vulnerability due to illicit access to your private data. Sonar can find secrets in source code in your IDE using SonarQube for IDE and also detect them in your CI/CD pipeline using SonarQube Server and SonarQube Cloud.

Advanced detection covers even more secrets patterns and cloud services
See More

what are secrets?

Secrets are any sensitive or private information residing in your code that when exposed, will compromise a company's security.


Secrets consist of:

  • Passwords
  • API keys
  • Encryption keys
  • Tokens
  • Database credentials
Image shows Secrets like Passwords, Keys and API's

damage of leaked secrets

Leaked secrets are a severe security exposure when they end up in the hands of cybercriminals, granting unauthorized access to secure systems and data.


Secrets in your code repository:

  • Increases developer workload to find, fix, and push changes
  • Requires painful remediation by forcing rotation of keys, tokens, and passwords
Image shows secrets being discovered

how does secrets detection work?

Sonar uses a powerful combination of Regular Expressions and Semantic Analysis to detect secrets in source code. We scan as you code in your IDE with SonarQube for IDE in a true shift left approach, unlike other secrets detection tools, which only detect secrets in Git repo. Because Sonar can detect secrets in code while you write, secrets never enter your repository, eliminating leakage. Additionally, SonarQube Server and SonarQube Cloud catch secrets that unintentionally enter your repo or your CI/CD pipeline for a complete solution. 

Sonar’s advanced secrets detection is…

  • POWERFUL

  • FAST

  • COMPLETE

  • ACCURATE

  • RELIABLE

  • OPEN SOURCE

  • FREE

POWERFUL

Sonar leverages the power of both RegEx and Semantic Analysis

  • Now with 119 rules that cover 166 secrets patterns
  • Detects secrets/tokens used in 113 cloud services
  • Semantic analysis checks covering 19 languages, including Java, C#, PHP, Python, and XML
  • Only Sonar covers 1000+ APIs with password or token arguments
  • Coverage of Infrastructure as Code (IaC) languages and files
  • Complete scanning of all file types in the repository

keep your company-specific secrets from leaking

Publicly known secrets cover most of your secrets, but a good portion are company-specific secrets with a structure or format only your company knows. Create custom rules with SonarQube Server Enterprise Edition and Data Center Edition to detect your company’s private secret patterns and deliver the best secrets detection coverage, up to 100% of all your secrets.

Image shows company specific secrets that are prevented from being leaked out

the most comprehensive prevention solution

Sonar goes above and beyond by educating developers on which code contains secrets. Each secrets detection rule includes content explaining why the found code segment is a secret and the impact details of why the secret poses a security risk. Now developers know how not to include secrets in their code. How cool is that?

Image shows portfolio metrics. Looking good!

Try a better way to code

Start with open sourceExplore all editions
  • Legal documentation
  • Trust center
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.