# sonar-text **Repository Path**: mirrors_SonarSource/sonar-text ## Basic Information - **Project Name**: sonar-text - **Description**: sonar-text - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2021-11-30 - **Last Updated**: 2026-07-11 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # SonarText: detect Leaking Secrets, BIDI Characters and Hidden Text Vulnerabilities [![Build Status](https://github.com/SonarSource/sonar-text/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/SonarSource/sonar-text) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-text&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=SonarSource_sonar-text) [![Coverage](https://sonarcloud.io/api/project_badges/measure?project=SonarSource_sonar-text&metric=coverage)](https://sonarcloud.io/summary/new_code?id=SonarSource_sonar-text) This project is a static code analyzer made to detect: * Leaking Secrets/Tokens * BIDI Characters Vulnerabilities * Hidden Text Vulnerabilities It is a component of the Sonar [code quality and security](https://www.sonarsource.com/solutions/for-developers/?utm_medium=referral&utm_source=github&utm_campaign=clean-code&utm_content=sonar-text) solution. It is embedded in SonarQube for IDE, SonarQube Server, and SonarQube Cloud. This component helps you prevent the leakage of secrets even before you push them into your repository thanks to SonarQube for IDE. # Features * :purple_heart: 450+ secret patterns supported and detected by [340+](https://rules.sonarsource.com/secrets/) rules * 71 secret patterns are open-source and provided by 28 rules, the others are available through [commercial plans](https://www.sonarsource.com/plans-and-pricing/) with Sonar products * detection of secrets in all files indexed by Sonar products * detection of [BIDI characters](https://rules.sonarsource.com/text/RSPEC-6389/) that could lead to attacks * detection of [Unicode hidden tag blocks](https://rules.sonarsource.com/text/RSPEC-7628/) that could lead to prompt injection ## Build *Prerequisite* - Java 17 ### Setup To configure build dependencies, run the following command: ```bash git submodule update --init -- build-logic/common ``` To always get the latest version of the build logic during git operations, set the following configuration: ``` git config submodule.recurse true ``` For more information see [README.md](https://github.com/SonarSource/cloud-native-gradle-modules/blob/master/README.md) of cloud-native-gradle-modules. Simple build skipping integration tests. ### Build and run unit tests: ```shell ./gradlew build ``` ### Build without running unit tests: ```shell ./gradlew build -x test ``` ### Fix code formatting issues During the Gradle build, a spotless formatting check is executed. This check can also be triggered manually with `./gradlew spotlessCheck`. It checks if the code is correctly formatted using standard Sonar rules. If your build failed, you can fix the formatting just by running: ```shell ./gradlew spotlessApply ``` ### Fix license packaging issues During the Gradle build, a license packaging check is executed. This check can also be triggered manually with `./gradlew validateLicenseFiles`. It checks if the license files of third party libraries are correctly packaged to the resource folder according to SonarSource standards. If your build failed, you can fix the license packaging by running: ```shell ./gradlew generateLicenseResources ``` Note that this overwrites your current license files in the `resources/licenses/THIRD_PARTY_LICENSES` folder. ### Update rule description Update all rule descriptions. ```shell ./gradlew ruleApiUpdate ``` There are also tasks: `ruleApiUpdateSecrets`, `ruleApiUpdateText` and `ruleApiUpdateDeveloperSecrets`, `ruleApiUpdateEnterpriseSecrets` `ruleApiUpdateEnterpriseText` for updating Secrets, Text, Developer Secrets and Enterprise Text and Secrets rule descriptions. ### Generate new rule description To fetch static files for a rule SXXXX from RSPEC, execute the one of following commands: ```shell ./gradlew ruleApiGenerateRuleSecrets -Prule=SXXXX ./gradlew ruleApiGenerateRuleText -Prule=SXXXX ./gradlew ruleApiGenerateRuleDeveloperSecrets -Prule=SXXXX ./gradlew ruleApiGenerateRuleEnterpriseSecrets -Prule=SXXXX ./gradlew ruleApiGenerateRuleEnterpriseText -Prule=SXXXX ``` ### Generate files to include new secrets After the change, addition or removal of secret specifications, this script can be run to generate the Java classes that are needed for the inclusion or deletion of these secrets and to update static RSPEC files. As we use the enforcer plugin to define the file size of the build, this can lead to test failures after adding new secret specifications. The `` and `` can be changed in `sonar-text-plugin/build.gradle.kts` (search for `enforceJarSize`). To create the files for a public secret, pass the flag `--public` as the third argument to the script. If the static RSPEC files are currently not merged on master, it is possible to specify a branch to fetch the files from. This can be done by adding the name of the branch as an argument to the script, like shown below. Use this feature with caution, due to a limitation of the underlying library in the rule api, not all branch names are supported, and it's not clear which ones do work. ```shell ./secretSpecificationInclusionGenerator.sh [--public] ``` ### Verify Regexes The Regular Expressions provided in the secrets specification should be verified to avoid catastrophic backtracking and other issues. Currently, the Sonar products don't scan YAML files for Regex problems. To avoid potential problems the [SecretsRegexTest](sonar-text-plugin/src/test/java/org/sonar/plugins/secrets/utils/SecretsRegexTest.java) was prepared for validating regexes. There is a simple way to validate all specification files and a single one. Currently, tests are disabled, as the issues need to be reviewed first. There is also a way of running this check from the command line. ```shell ./gradlew --rerun-tasks :sonar-text-plugin:test --console plain --tests SecretsRegexTest.shouldValidateSingleFile -Dfilename=google-oauth2.yaml ``` # License Copyright 2021-2026 SonarSource. SonarQube analyzers released after November 29, 2024, including patch fixes for prior versions, are published under the [Sonar Source-Available License Version 1 (SSALv1)](LICENSE.txt). See individual files for details that specify the license applicable to each file. Files subject to the SSALv1 will be noted in their headers.