Integrating SonarQube Sonar Secrets Plugin into a CI/CD Pipeline for Secure Development

Continuous Integration and Delivery (CI/CD) pipelines aim to support tens of thousands of deployments per day, but production frequency must not compromise security; therefore continuous security verification is added at every step of the pipeline.

SonarQube is introduced for code‑quality checks, integrated directly into developers' IDEs so that security validation occurs before code is committed. By adding the Sonar Secrets plugin (and the FindSecBugs extension for Java), early feedback is given on insecure coding patterns such as hard‑coded credentials.

Sensitive data is protected using an encrypted keystore; developers reference the data via variables in code rather than hard‑coding values.

To build the plugin, run the following commands:

cd sonar-secrets/java && mvn clean package

cd sonar-secrets/javascript && mvn clean package

Successful builds produce JAR files (e.g., sonar-secrets-java-x.x.jar in sonar-secrets/java/target and sonar-secrets-javascript-x.x.jar in sonar-secrets/javascript/target).

Installation steps:

Copy the JAR files to SonarQube’s plugin directory /opt/sonarqube/extensions/plugins.

Restart the SonarQube server.

Startup logs should display messages such as:

INFO  web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets Java / x.x

INFO  web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets JavaScript / x.x

Enable sonar-secrets-java and sonar-secrets-javascript in the appropriate Quality Profiles.

The plugin’s effect can be seen directly in the IDE, where security issues related to hard‑coded secrets are highlighted.

Sonar Secrets helps proactively detect and prevent leakage of sensitive data in code. The project is open‑source, fully customizable, and can be extended with new rules; the first release currently supports Java and JavaScript projects.