Introducing Sonar Secrets: Detecting Hard‑coded Credentials in CI/CD Pipelines

Continuous integration and delivery (CI/CD) pipelines aim to support tens of thousands of deployments per day, but production frequency must not compromise security, so security checks need to be integrated throughout the pipeline.

Skyscanner added continuous security validation at every stage, starting with SonarQube for code quality and extending it with the Sonar Secrets plugin to flag hard‑coded credentials early, shifting security left.

The plugin uses existing tools like FindSecBugs for Java and provides early feedback to developers about the risks of embedding secrets in code.

To protect users, partners, and employees, sensitive data is stored in encrypted key vaults and accessed via variables rather than hard‑coding values.

Build and package

cd sonar-secrets/java && mvn clean package
cd sonar-secrets/javascript && mvn clean package

Successful builds output messages such as:

[INFO] BUILD SUCCESS
[INFO] Total time: 7.065 s
[INFO] Finished at: 2017-10-26T05:00:33-04:00
[INFO] Final Memory: 23M/252M

The resulting JAR files are located at:

sonar-secrets/java/target/sonar-secrets-java-x.x.jar

sonar-secrets/javascript/target/sonar-secrets-javascript-x.x.jar

Installation and configuration

Copy the JAR file to SonarQube’s plugin directory /opt/sonarqube/extensions/plugins

Restart the SonarQube server

Startup logs should show deployment of the plugins, e.g.:

INFO  web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets Java / x.x
INFO  web[][o.s.s.p.ServerPluginRepository] Deploy plugin Sonar Secrets JavaScript / x.x

Enable sonar-secrets-java and sonar-secrets-javascript in the appropriate Quality Profiles.

Sonar Secrets helps proactively detect and prevent leakage of sensitive data in code, and the project has been open‑sourced for community use and improvement. The first release supports Java and JavaScript projects.