Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/skyscanner/sonar-secrets

SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..
https://github.com/skyscanner/sonar-secrets

devsecops hardcoded-credentials pipeline scanning

Last synced: about 2 months ago
JSON representation

SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..

Host: GitHub
URL: https://github.com/skyscanner/sonar-secrets
Owner: Skyscanner
License: other
Created: 2018-07-19T14:28:35.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2023-12-01T22:56:31.000Z (about 1 year ago)
Last Synced: 2024-06-20T05:23:12.671Z (7 months ago)
Topics: devsecops, hardcoded-credentials, pipeline, scanning
Language: Java
Homepage:
Size: 5.23 MB
Stars: 98
Watchers: 7
Forks: 24
Open Issues: 18
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

# SonarQube™ Secrets plugin

[![](https://github.com/Skyscanner/sonar-secrets/workflows/build/badge.svg)](https://github.com/Skyscanner/sonar-secrets/actions)
[![](https://img.shields.io/badge/Java-8-red)](https://img.shields.io/badge/Java-8-red)

`Sonar Secrets` plugin for SonarQube™ is designed to identify hardcoded secrets such as passwords, API keys, AWS credentials, tokens, etc. In line with best security practices it is recommended to use a credentials store (such as credstash or Vault) to contain all secrets, and refer to these using identifiers, such that the source code will never contain any cleartext secret.

This plugin supports Java and JavaScript.

**Requirement:** Java 8

# Installation Guide
### Build
```bash
make build
```

If everything went well you should see the following message:
```
...
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.065 s
[INFO] Finished at: 2017-10-26T05:00:33-04:00
[INFO] Final Memory: 23M/252M
[INFO] ------------------------------------------------------------------------
```

`sonar-secrets-java-x.x.jar` will be placed in `sonar-secrets/java/target` directory.

`sonar-secrets-javascript-x.x.jar` will be placed in `sonar-secrets/javascript/target` directory.

### Install
* Copy `jar` files to your SonarQube™ plugin directory (ex: `/opt/sonarqube/extensions/plugins`)
* Restart SonarQube™ server

In startup logs you should see:
```
...
INFO web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets Java / x.x
INFO web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets JavaScript / x.x
...
```

### Configure
* Enable `sonar-secrets-java` and `sonar-secrets-javascript` in your Quality Profiles

*Note:* you can locate `sonar-secrets` rules in Web UI by using Tag filter `skyscanner`.

SonarQube™ is a trademark of SonarSource SA, Switzerland.