{"id":19671694,"url":"https://github.com/skyscanner/sonar-secrets","last_synced_at":"2025-04-29T01:30:37.795Z","repository":{"id":39578873,"uuid":"141591175","full_name":"Skyscanner/sonar-secrets","owner":"Skyscanner","description":"SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..","archived":true,"fork":false,"pushed_at":"2023-12-01T22:56:31.000Z","size":5479,"stargazers_count":100,"open_issues_count":18,"forks_count":24,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-14T23:11:12.870Z","etag":null,"topics":["devsecops","hardcoded-credentials","pipeline","scanning"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Skyscanner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-19T14:28:35.000Z","updated_at":"2024-10-31T11:00:48.000Z","dependencies_parsed_at":"2024-06-20T04:40:54.261Z","dependency_job_id":"90339591-beba-464a-a4d1-36a597947cb0","html_url":"https://github.com/Skyscanner/sonar-secrets","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fsonar-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fsonar-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fsonar-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Skyscanner%2Fsonar-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Skyscanner","download_url":"https://codeload.github.com/Skyscanner/sonar-secrets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251415574,"owners_count":21585855,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","hardcoded-credentials","pipeline","scanning"],"created_at":"2024-11-11T17:09:29.592Z","updated_at":"2025-04-29T01:30:37.207Z","avatar_url":"https://github.com/Skyscanner.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SonarQube™ Secrets plugin\n\n[![](https://github.com/Skyscanner/sonar-secrets/workflows/build/badge.svg)](https://github.com/Skyscanner/sonar-secrets/actions)\n[![](https://img.shields.io/badge/Java-8-red)](https://img.shields.io/badge/Java-8-red)\n\n\n`Sonar Secrets` plugin for SonarQube™ is designed to identify hardcoded secrets such as passwords, API keys, AWS credentials, tokens, etc. In line with best security practices it is recommended to use a credentials store (such as credstash or Vault) to contain all secrets, and refer to these using identifiers, such that the source code will never contain any cleartext secret.\n\nThis plugin supports Java and JavaScript.\n\n**Requirement:** Java 8\n\n# Installation Guide\n### Build\n```bash\nmake build\n```\n\nIf everything went well you should see the following message:\n```\n...\n[INFO] BUILD SUCCESS\n[INFO] ------------------------------------------------------------------------\n[INFO] Total time: 7.065 s\n[INFO] Finished at: 2017-10-26T05:00:33-04:00\n[INFO] Final Memory: 23M/252M\n[INFO] ------------------------------------------------------------------------\n```\n\n`sonar-secrets-java-x.x.jar` will be placed in `sonar-secrets/java/target` directory.\n\n`sonar-secrets-javascript-x.x.jar` will be placed in `sonar-secrets/javascript/target` directory.\n\n### Install\n* Copy `jar` files to your SonarQube™ plugin directory (ex: `/opt/sonarqube/extensions/plugins`)\n* Restart SonarQube™ server\n\nIn startup logs you should see:\n```\n...\nINFO  web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets Java / x.x\nINFO  web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets JavaScript / x.x\n...\n```\n\n### Configure\n* Enable `sonar-secrets-java` and `sonar-secrets-javascript` in your Quality Profiles\n\n*Note:* you can locate `sonar-secrets` rules in Web UI by using Tag filter `skyscanner`.\n\nSonarQube™ is a trademark of SonarSource SA, Switzerland.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskyscanner%2Fsonar-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fskyscanner%2Fsonar-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskyscanner%2Fsonar-secrets/lists"}