ADVANCED SECRETS DETECTION

Is your source code leaking secrets?

SonarQube detects leaked secrets throughout your development workflow, identifying them directly in the IDE and within your CI/CD pipeline.

Get startedContact sales
Secrets Detection

TRUSTED BY OVER 7M DEVELOPERS AND 400K ORGANIZATIONS

Mercedes Benz
Nvidia
U.S. Army
Santander
Costco

What are secrets?

Secrets are any sensitive or private information residing in your code that when exposed, will compromise a company's security.


Secrets consist of:

  • Passwords
  • API keys
  • Encryption keys
  • Tokens
  • Database credentials

Damage of leaked secrets

Leaked secrets are a severe security exposure when they end up in the hands of cybercriminals, granting unauthorized access to secure systems and data.


Secrets in your code repository:

  • Increases developer workload to find, fix, and push changes
  • Requires painful remediation by forcing rotation of keys, tokens, and passwords

How does secrets detection work?

Sonar uses a powerful combination of Regular Expressions and Semantic Analysis to detect secrets in source code. We scan as you code in your IDE with SonarQube for IDE in a true shift left approach, unlike other secrets detection tools, which only detect secrets in Git repo. Because Sonar can detect secrets in code while you write, secrets never enter your repository, eliminating leakage.

Leaked secrets detected by SonarCloud

Sonar’s secrets detection is…

lock

Powerful

Sonar's comprehensive secret detection goes beyond typical solutions, with over 340 rules that identify more than 400 secret patterns across 248 cloud services and a thousand APIs.

Image for Fast

Fast

Running a detect secrets scan happens together with your regular code scan and has no noticeable impact on scan performance time

devops

Complete

Sonar performs secret detection in the IDE using SonarQube for IDE, and in your repository and CI/CD Pipeline using SonarQube Server or SonarQube Cloud.

sonar

Accurate

Sonar’s secrets detection boasts a false positive rate of less than 5%, which is critical for ensuring accuracy and maintaining developer trust.

heart

Reliable

Sonar’s secrets detection engine avoids runaways or overflow with a built-in safeguard to quit when it is taking too long to finish.

oss

Open source

Sonar’s secrets detection code and rules are publicly available as Open Source for community contributions. Learn how to contribute!

smily

Free

Secrets detection comes with SonarQube for IDE for free and is included in SonarQube Server and SonarQube Cloud commercial editions at no additional cost.

Keep your company-specific secrets from leaking

Publicly known secrets cover most of your secrets, but a good portion are company-specific secrets with a structure or format only your company knows. Create custom rules with SonarQube Server Enterprise Edition and Data Center Edition to detect your company’s private secret patterns and deliver the best secrets detection coverage, up to 100% of all your secrets.

pull request failed

The most comprehensive prevention solution

Sonar goes above and beyond by educating developers on which code contains secrets. Each secrets detection rule includes content explaining why the found code segment is a secret and the impact details of why the secret poses a security risk. Now developers know how not to include secrets in their code. How cool is that?

code report shows some issues with security and reliability

Build trust into every line of code

Ready to deliver better, secure code? Get started today with the SonarQube deployment that's right for you.