# Secrets

Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarQube Community Build detects exposed Secrets in all files processed by the language analyzers and in all files configured through the `sonar.text.inclusions` property.

This page explains how to configure the secret-specific parameters and to adjust the secret detection scope.

{% hint style="info" %}
SonarQube Community Build doesn’t support defining custom rules based on your own secret patterns to detect secrets that are specific to your company. See [feature-comparison-table](https://open-2v.gitbook.com/url/docs.sonarsource.com/sonarqube-community-build/feature-comparison-table "mention") to find out which SonarQube deployments support this feature.
{% endhint %}

## Configuring secret-specific parameters (general procedure) <a href="#language-specific-properties" id="language-specific-properties"></a>

Discover and update the secret-specific [analysis-parameters](https://open-2v.gitbook.com/url/docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/analysis-parameters "mention") in **Administration** > **Configuration** > **General Settings** > **Languages** > **Secrets**

## Adjusting the secret detection scope <a href="#detection-scope" id="detection-scope"></a>

By default, SonarQube Server and SonarQube Community Build detect exposed secrets in all files processed by the language analyzers. You can refine the scope of the secret detection by:

* Excluding hidden files from the analysis.
* Adding files based on path-matching patterns.
* Adjusting the binary file exclusion setup.

### Analysis of hidden files <a href="#analysis-of-hidden-files" id="analysis-of-hidden-files"></a>

Depending on which scanner is used, additional hidden files tracked by Git are included in the secrets analysis.

This behavior can be disabled by setting the `sonar.scanner.excludeHiddenFiles` analysis parameter to `true`.

{% hint style="warning" %}
Analyzing additional hidden files is currently only partially supported with the SonarScanner for Maven and Gradle. Additional hidden files are only analyzed if they’re inside the `src/main/java` or `src/test/java` folder in the root or module directories.

Analyzing additional hidden files is currently not supported with SonarScanner for .NET.
{% endhint %}

### Adding files based on path-matching patterns <a href="#adding-files-based-on-pathmatching-patterns" id="adding-files-based-on-pathmatching-patterns"></a>

If you’re using a git repository, you can add files to the secret detection scope by defining path-matching patterns: the files matching the patterns will be included **provided they are tracked by git**.

To add additional files to the secret detection:

1. In the SonarQube Server UI:
   * For a global configuration: go to **Administration** > **Configuration** > **General Settings** > **Languages** > **Secrets**
   * For a project-level configuration: open your project page and go to **Project Settings** > **General Settings** > **Languages** > **Secrets**
2. Enable the **Activate inclusion of custom file path patterns** option.
3. In the **List of file path patterns to include**, adjust the default path-matching patterns if necessary (see the [Defining matching patterns](https://app.gitbook.com/s/yDv2XwTC1xoOKBYeCK45/project-administration/setting-analysis-scope/defining-matching-patterns "mention") page).

Alternatively, configure the parameters listed below on the CI/CD host. See the [Analysis parameters](https://app.gitbook.com/s/yDv2XwTC1xoOKBYeCK45/analyzing-source-code/analysis-parameters "mention") page for more information about other parameters.

| **Property**                     | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `sonar.text.inclusions.activate` | Enables the inclusion of files to the secret detection according to the path-matching patterns defined in `sonar.text.inclusions`.                                                                                                                                                                                                                                                                                                                                                                                                             |
| `sonar.text.inclusions`          | <p>Comma-separated list of path-matching patterns.</p><p><strong>Possible values:</strong> A path can be relative (to the <code>sonar.projectBaseDir</code> property, which is by default the directory from which the analysis was started) or absolute.</p><p><strong>Default value</strong>: <strong>/</strong><em><strong>.sh,</strong>/.bash,\*\*/.zsh,<strong>/</strong></em><strong>.ksh,</strong>/<em>.ps1,<strong>/</strong></em><strong>.properties, /\*.conf,/</strong><em><strong>.pem,</strong>/</em>.config,.env,.aws/config</p> |

### Adjusting the binary file exclusion setup <a href="#adjusting-the-binary-file-exclusion-setup" id="adjusting-the-binary-file-exclusion-setup"></a>

SonarQube Server and SonarQube Community Build exclude binary files from the analysis. In case binary file types are still included in your analysis, you can exclude these additional files.

To do so:

1. In the SonarQube Server and SonarQube Community Build UI,
   * For a global configuration: go to **Administration** > **Configuration** > **General Settings** > **Languages** > **Secrets**.
   * For a project-level configuration: open your project page and go to **Project Settings** > **General Settings** > **Languages** > **Secrets**.
2. In **Additional binary file suffixes**, enter the list of suffixes to be excluded.

Alternatively, configure the parameter below on the CI/CD host. See the [Analysis parameters](https://app.gitbook.com/s/yDv2XwTC1xoOKBYeCK45/analyzing-source-code/analysis-parameters "mention") page for more information about other parameters.

| **Property**                        | **Description**                                                         |
| ----------------------------------- | ----------------------------------------------------------------------- |
| `sonar.text.excluded.file.suffixes` | Comma-separated list of additional binary file suffixes to be excluded. |

## Analysis of files that don't contain code <a href="#analysis-of-files-that-dont-contain-code" id="analysis-of-files-that-dont-contain-code"></a>

Files that don’t contain code (for example, `build.gradle` and `sonar-project.properties`) are scanned durning analysis and displayed in the SonarQube Server UI after an issue is detected in them. If no secrets are detected in those files, they are not displayed in the UI.

## Deactivating secrets analysis <a href="#deactivating-secrets-analysis" id="deactivating-secrets-analysis"></a>

You can deactivate the analysis of secrets by setting the `sonar.text.activate` property to `false`.

## Related pages <a href="#related-pages" id="related-pages"></a>

* [adding-coding-rules](https://open-2v.gitbook.com/url/docs.sonarsource.com/sonarqube-community-build/extension-guide/adding-coding-rules "mention")
* [secrets](https://open-2v.gitbook.com/url/docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/languages/secrets "mention")