if they are false positives, is it possible to share some example with us?. are they real secrets or do you consider them as false positives?. I’d be curious to know whether, beyond the need you expressed for SonarLint to emit the same warnings as your build systems (which is totally clear to me and makes sense), do you have any feedback about the issues that were emitted by SonarLint in your case? We feel it is critical to avoid secrets to leak into repositories (after all, is there any good reason to allow secrets to leak into a repository?), and I invite your to read our motivations in our blog post: Launching ‘Secret Detection’ to keep your Cloud ‘Secrets’ safe We decided to first ship the “Secrets detection” feature in SonarLint because this is where we think it will bring the most value to our users, as this way they can prevent those secrets to leak in the first place, instead of undergoing remediation actions once the secrets have leaked. Let me add that the current situation is temporary, as we envisage to add the secrets detection in SonarQube as well in the future.Īlthough we don’t have an ETA yet, when the feature will be added to SonarQube, you’ll be able to configure the rule for secrets detection in your quality profile, and those issues will only be raised in SonarLint if they are activated in the quality profile. Thanks for the explanations you provided, it is clearer now. Before sonarlint plugin upgrade, this was not occuring. INTELLIJ JPROFILER FULL
Launch full sonarlint analysis, sonarqube connected mode, on a project which have zero sonarqube warnings : some “secrets:” warnings are emitted, these “secrets:” rules do not exist sonarqube server end, they should not be emitted. I assume these “local” rules sonarlint end are played even if connected to sonarqube : it sounds like a bug to me. I tried Intellij invalidate cache & restart : no effect.
I tried unchecking all rules into the new settings tab “Tools>SonarLint>Rules tab” : no effect. Since we are working on sonarqube connected mode, i assume they must not be reported sonarlint + intellj end, but they are.
These rules do not exist sonarqube server end (they were not reported before sonarlint plugin upgrade, mvn sonar:sonar do not report them). Non-Bundled Plugins:, Error-prone plugin, zielu.gittoolbox, GrepConsole,, ,, JProfilerĬonnected to a sonarqube server, some rules, “secrets:” related are emitted. VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o. (notice : i created an account on, but i dont have the rights to open a ticket, dunno why, so i post here).
0 kommentar(er)
