SonarQube catches exposed secrets—like passwords and access tokens—the moment they are written. With actionable code intelligence, developers can remediate immediately, ensuring code security and code health are maintained at the speed of development.
TRUSTED BY OVER 7M DEVELOPERS WORLDWIDE
SonarQube uses a powerful combination of regular expressions and semantic analysis to detect secrets in source code. We scan as you code in your IDE with SonarQube for IDE in a true shift left approach, unlike other secrets detection tools, which only detect secrets in Git repositories. Because SonarQube can detect secrets in code while you write, secrets never enter your repository, eliminating leakage. This proactive coverage extends into the CI/CD pipeline with automated quality gates to prevent risky changes from merging.
Secrets detection is available within the developer flow for free. It highlights exposed passwords and API keys the moment they are written, ensuring sensitive credentials never leave your local environment or reach production.
For teams using cloud-powered DevOps, secrets detection is included in all tiers—including Free, Team, and Enterprise plans. It provides automated analysis during pull request reviews to catch leaks before they are merged.
Included in Developer, Enterprise, and Data Center editions, this capability provides ultimate control. While public pattern detection is universal, SonarQube Server Enterprise Edition adds custom patterns for proprietary, company-specific credential formats.
SonarQube's comprehensive secret detection goes beyond typical solutions, with over 340 rules that identify more than 450+ secret patterns across 248 cloud services and a thousand APIs. Signal‑focused analysis ensures precise, low‑noise outcomes for developers.
Running a detect secrets scan happens together with your regular code scan and has no noticeable impact on scan performance time. This parallelized approach keeps developers productive while maintaining continuous security coverage in the CI/CD pipeline.
SonarQube performs secret detection in the IDE using SonarQube for IDE, and in your repository and CI/CD Pipeline using SonarQube Server or SonarQube Cloud. This shift-left approach stops leaks before commit. CI/CD quality gates prevent risky merges while keeping developers fast.
SonarQube’s secrets detection boasts a false positive rate of less than 5%, which is critical for ensuring accuracy and maintaining developer trust. Consistent, low-noise findings help teams act quickly, reduce alert fatigue, and keep CI/CD pipelines moving without unnecessary blockers.
SonarQube’s secrets detection engine avoids runaways or overflow with a built-in safeguard to quit when it is taking too long to finish. This stability-by-design keeps scans predictable, preserves CI/CD pipeline throughput, and ensures developers aren’t blocked by hung or excessive analyses.
SonarQube’s secrets detection code and rules are publicly available as open source for community contributions. Transparent rule definitions enable faster improvements, broader coverage, and shared best practices that benefit developers and security teams. Learn how to contribute!
Secrets detection comes with SonarQube for IDE for free and is included in SonarQube Server and SonarQube Cloud commercial editions at no additional cost. Enable developers quickly with no extra licensing, simplifying rollout across teams and CI/CD pipelines.
Demonstrate preventive controls with exportable reports, historical trends, and traceable remediation activity. Provide auditors with clear evidence of CI/CD pipeline checks, consistent policies, and documented outcomes to simplify compliance reviews.
Stop credentials from ever reaching your repository. SonarQube for IDE catches hard-coded secrets—like database passwords and tokens—as you write code, while SonarQube Server and SonarQube Cloud provide automated checks in your PRs.
Download >
Hard-coded secrets are a fast track from a minor coding oversight to a major security incident. API keys, tokens, and credentials frequently end up in code during troubleshooting, rapid prototyping, or AI-assisted coding.
Download >
This blog post explains why secrets detection is critical and how Sonar’s integrated approach reduces noise. It also explains how the new SonarQube Secrets CLI helps teams catch secrets locally.
Learn more >
Ready to deliver better, secure code? Get started today with the SonarQube deployment that's right for you.
4.6 / 5
Secrets detection is the process of automatically identifying sensitive information—like passwords, API keys, and tokens—embedded within source code. Even a small oversight, such as committing a credential to a public repository, can create significant security risks or regulatory challenges for organizations. By implementing robust secrets detection within development workflows, teams can prevent accidental exposure and quickly remediate issues before they reach production environments, safeguarding their codebase from potential exploits.
Prioritizing secrets detection directly improves the overall quality of code by ensuring that sensitive information is consistently protected and compliance requirements are met. Rather than relying on manual review, integrating automated secrets detection helps developers maintain secure practices without sacrificing development speed. This proactive approach addresses both technical and organizational priorities, making it a critical component of any strategy focused on producing quality code.
Sonar relies on sophisticated algorithms to scan a project's source code for patterns that resemble secrets, such as hardcoded credentials or access tokens. The detection engine analyzes files across multiple languages and identifies risky artifacts, alerting developers in real time when sensitive data is found. This seamless detection capability extends across various development environments, ensuring that security checks are consistent no matter where code is written or stored.
Detection is not just about finding secrets—it’s also about ensuring actionable feedback for developers. Sonar provides clear guidance and recommendations whenever potential secrets are identified, streamlining remediation efforts and helping teams resolve issues quickly. This practical integration with the development lifecycle reinforces the production of quality code by reducing manual effort while strengthening security.
Yes, Sonar’s secrets detection solution is designed for seamless automation within CI/CD pipelines. By integrating directly into the build and deployment workflows, secrets detection becomes a routine quality gateway—automatically flagging sensitive values before code is merged or released. This automated approach helps teams maintain development velocity while ensuring that only secure code is deployed to production.
Automated secrets detection supports a "shift-left" strategy in software development, catching problems early and reducing the risk of costly vulnerabilities downstream. With Sonar, organizations can enforce consistent security controls at every stage, making quality code an operational standard rather than an afterthought.
Sonar’s secrets detection covers a broad range of sensitive data types, including but not limited to passwords, API keys, database credentials, cloud service tokens, and OAuth secrets. Its detection patterns are continuously updated to recognize new formats and commonly used keys, ensuring comprehensive protection against diverse risks.
By accurately flagging both obvious and subtle instances of exposed secrets, Sonar helps organizations build and maintain quality code. Its flexibility across common programming languages and file formats means that teams can rely on Sonar for thorough coverage, regardless of their technology stack.
Upon detection of a secret, Sonar provides developers with actionable remediation guidance, typically including steps to remove or replace the exposed credential. Developers can either rotate the secret, migrate it to a secure vault, or eliminate it from version control history, depending on context and severity.
Sonar’s recommendations are designed to encourage best practices and foster quality code. By promptly addressing flagged secrets and learning from the guidance provided, development teams can prevent future exposures and maintain secure workflows without introducing friction or delays.
Sonar’s implementation prioritizes privacy and security, and it does not store secret values themselves. Detection events and metadata are logged strictly for operational and audit purposes, ensuring compliance with enterprise and regulatory standards.
This approach enables teams to retain full control over their sensitive information, while benefiting from quality code practices. Organizations can audit detection patterns and trends without risking unintentional storage or exposure of secrets flagged during automated scans.
By default, Sonar retains detection data as long as it is relevant for operational or audit purposes, aligning with best practices around privacy and compliance. For specific implementations, tracking information—such as cookies or log entries—may be kept for up to 60 days, unless otherwise specified by user or organizational policy.
This retention window balances the need for historical insight and proactive monitoring while minimizing unnecessary data storage. Developers and security teams can review recent findings and trends to continuously improve workflows and strengthen the quality code standard.
Yes, Sonar’s secrets detection is highly configurable and can be tailored to different environments (such as development, staging, or production) and user journeys. Custom policies allow teams to set detection thresholds or ignore certain paths, adapting to the unique requirements of their projects and codebases.
Additionally, Sonar provides tools to track the origin and flow of sensitive data within code journeys, giving insight into how and when secrets might be exposed. This level of flexibility helps organizations maintain quality code throughout diverse environments and workflows.
If a secret is discovered post-deployment, Sonar initiates mitigation guidance to help teams respond quickly. Recommended actions include rotating affected credentials, notifying stakeholders, and removing exposed values from accessible locations. Quick response times minimize the risk of real-world exploitation and support continuous improvement in coding practices.
Sonar’s platform also encourages updating workflows to prevent future incidents—reviewing detection logs and adjusting automated controls as needed. Post-incident analysis helps reinforce lessons learned and strengthens the integrity of quality code moving forward.
Integrating secrets detection with Sonar supports compliance with industry regulations such as GDPR, HIPAA, and PCI DSS, all of which require strict control over sensitive data. Automated secrets detection ensures that quality code is produced in accordance with these standards, making it easier to demonstrate due diligence during internal or external audits.
Sonar’s solution provides reporting tools and historical analysis, giving organizations evidence of preventive controls. This capability strengthens both technical and business arguments for a security-first approach, and helps build trust with customers, regulators, and business partners by maintaining consistent quality code practices.
Yes. Whether code is written by a human or an AI agent, it must be verified. SonarQube detects secrets in all code to ensure that AI-generated suggestions do not introduce security vulnerabilities or hardcoded credentials into your codebase.
Secrets detection is a core security capability included in all commercial SonarQube products, ensuring that every team has the tools to prevent exposed credentials from reaching production. There is no additional cost for secrets detection within your existing SonarQube Server or SonarQube Cloud and it’s enabled by default.