Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

Kotlin static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your KOTLIN code

Tags

Impact

Clean code attribute

Return values should not be ignored when they contain the operation status code
Bug
Sensitive information should not be logged in production builds
Vulnerability
WebViews should not be vulnerable to cross-app scripting attacks
Vulnerability
Processing persistent unique identifiers is security-sensitive
Security Hotspot
Android production release targets should not be debuggable
Vulnerability
Keyboard cache should be disabled for password inputs
Vulnerability
Exposing native code through JavaScript interfaces is security-sensitive
Security Hotspot
Obfuscation should be enabled for release builds
Vulnerability
Server-side requests should not be vulnerable to traversing attacks
Vulnerability
Core plugins IDs should be replaced by their shortcuts
Code Smell
Gradle settings file should always be present
Code Smell
Dependencies should be grouped by destination
Code Smell
Tasks should define "description" and "group"
Code Smell
"rootProject.name" should always be present in Gradle settings
Code Smell
Dependency versions shouldn't be hard-coded
Code Smell
"tasks.register()" should be preferred over "tasks.create()"
Code Smell
Null checks should be useful
Code Smell
Variables assigned values should be read
Code Smell
"Map" values should be accessed safely
Bug
"It" shouldn't be used as a lambda parameter name
Code Smell
Accessing files should not lead to filesystem oracle attacks
Vulnerability
Environment variables should not be defined from untrusted input
Vulnerability
Check for preconditions should be simplified
Code Smell
Redundant type casts should be removed
Code Smell
Type casts and type checks that can never succeed should be removed
Code Smell
Expression should be simplified with "isEmpty", "isNotEmpty" or "isNullOrEmpty"
Code Smell
"find" should be replaced with "any", "none" or "contains"
Code Smell
Function chain using "filter" should be simplified
Code Smell
Abstract class should be interface
Code Smell
Collection should be immutable if contents is not changed
Code Smell
Structural equality tests should use "==" or "!="
Code Smell
Element access should use indexed access operators
Code Smell
Single function interfaces should be functional interfaces
Code Smell
Functional interface implementations should use lambda expressions
Code Smell
Singleton pattern should use object declarations or expressions
Code Smell
Delegator pattern should use "by" clause
Code Smell
Getter and setter pattern should use property getters and setters
Code Smell
"when" statements should be used instead of chained "if" statements
Code Smell
"return" statements should be lifted before "if" or "when" statement
Code Smell
"Unit" should be used instead of "Void"
Code Smell
Using remote artifacts without authenticity and integrity checks is security-sensitive
Security Hotspot
Counter Mode initialization vectors should not be reused
Vulnerability
Hard-coded secrets are security-sensitive
Security Hotspot
XML operations should not be vulnerable to injection attacks
Vulnerability
JSON operations should not be vulnerable to injection attacks
Vulnerability
Thread suspensions should not be vulnerable to Denial of Service attacks
Vulnerability
Components should not be vulnerable to intent redirection
Vulnerability
Enabling file access for WebViews is security-sensitive
Security Hotspot
Enabling JavaScript support for WebViews is security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
"suspend" modifier should not be redundant
Code Smell
Kotlin coroutines API for timeouts should be used
Code Smell
The return value of functions returning "Deferred" should be used
Code Smell
Flow intermediate operation results should not be left unused
Bug
ViewModel classes should create coroutines
Code Smell
Extension functions on CoroutineScopes should not be declared as "suspend"
Code Smell
Suspending functions should not be called on a different dispatcher
Code Smell
Dispatchers should be injectable
Code Smell
Functions returning Flow/Channel should not be suspending
Code Smell
Suspending functions should be main-safe
Code Smell
Coroutine usage should adhere to structured concurrency principles
Code Smell
"MutableStateFlow" and "MutableSharedFlow" should not be exposed
Code Smell
Mobile database encryption keys should not be disclosed
Vulnerability
Using unencrypted files in mobile applications is security-sensitive
Security Hotspot
Using biometric authentication without a cryptographic solution is security-sensitive
Security Hotspot
Using unencrypted databases in mobile applications is security-sensitive
Security Hotspot
Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
Security Hotspot
Applications should not create session cookies from untrusted input
Vulnerability
Equals method should be overridden in data classes containing array fields
Bug
Redundant methods should be avoided in data classes
Code Smell
Operator "is" should be used instead of "isInstance()"
Code Smell
Reflection should not be vulnerable to injection attacks
Vulnerability
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
OS commands should not be vulnerable to argument injection attacks
Vulnerability
Character classes in regular expressions should not contain the same character twice
Code Smell
Unicode Grapheme Clusters should be avoided inside regex character classes
Bug
Unicode-aware versions of character classes should be preferred
Code Smell
Character classes should be preferred over reluctant quantifiers in regular expressions
Code Smell
Regular expressions should be syntactically valid
Bug
Alternatives in regular expressions should be grouped when used with anchors
Bug
Empty lines should not be tested with regex MULTILINE flag
Code Smell
Regular expressions should not be too complicated
Code Smell
Repeated patterns in regular expressions should not match the empty string
Bug
Lambdas should not have too many lines
Code Smell
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Server-side templates should not be vulnerable to injection attacks
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
Using clear-text protocols is security-sensitive
Security Hotspot
Accessing Android external storage is security-sensitive
Security Hotspot
Receiving intents is security-sensitive
Security Hotspot
Broadcasting intents is security-sensitive
Security Hotspot
NoSQL operations should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Native features should be preferred to Guava
Code Smell
Multi-line comments should not be empty
Code Smell
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Secure random number generators should not output predictable values
Vulnerability
Functions should not have identical implementations
Code Smell
Collection and array sizes comparisons should make sense
Bug
Intermediate Sequence and Stream functions should not be left unused
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Cognitive Complexity of functions should not be too high
Code Smell
Database queries should not be vulnerable to injection attacks
Vulnerability
"var" should be "val" if local variable is never re-assigned
Code Smell
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Non-existent operators like "=+" should not be used
Bug
"PreparedStatement" and "ResultSet" methods should be called with valid indices
Bug
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
Kotlin parser failure
Code Smell
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Inappropriate collection calls should not be made
Bug
"runFinalizersOnExit" should not be called
Bug
Values should not be uselessly incremented
Bug
"ScheduledThreadPoolExecutor" should not have 0 core threads
Bug
"hashCode" and "toString" should not be called on array instances
Bug
Collections should not be passed as arguments to their own methods
Bug
"equals(other: Any?)" should test the argument's type
Bug
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
OS commands should not be vulnerable to command injection attacks
Vulnerability
Hard-coded credentials are security-sensitive
Security Hotspot
Password hashing functions should use an unpredictable salt
Vulnerability
Boolean checks should not be inverted
Code Smell
Code annotated as deprecated should not be used
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Related "if/else if" statements should not have the same condition
Bug
"when" statements should not be nested
Code Smell
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Variables should not be self-assigned
Bug
Unused local variables should be removed
Code Smell
"when" statements should not have too many clauses
Code Smell
Track lack of copyright and license headers
Code Smell
Functions should not have too many lines of code
Code Smell
Control flow statements "if", "for", "while", "when" and "try" should not be nested too deeply
Code Smell
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"if ... else if" constructs should end with "else" clauses
Code Smell
Sections of code should not be commented out
Code Smell
Statements should be on separate lines
Code Smell
"equals(Any?)" and "hashCode()" should be overridden in pairs
Bug
String literals should not be duplicated
Code Smell
Functions should not be empty
Code Smell
Unused function parameters should be removed
Code Smell
Local variable and function parameter names should comply with a naming convention
Code Smell
"when" clauses should not have too many lines of code
Code Smell
Useless "if(true) {...}" and "if(false){...}" blocks should be removed
Bug
Unused "private" methods should be removed
Code Smell
Jump statements should not occur in "finally" blocks
Bug
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell
Deprecated code should be removed
Code Smell
Unnecessary imports should be removed
Code Smell
Boolean literals should not be redundant
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Functions should not have too many parameters
Code Smell
Expressions should not be too complex
Code Smell
Mergeable "if" statements should be combined
Code Smell
Tabulation characters should not be used
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Class names should comply with a naming convention
Code Smell
Function names should comply with a naming convention
Code Smell

Hard-coded secrets are security-sensitive

responsibility - trustworthy

security

Security Hotspot

Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

In the past, it has led to the following vulnerabilities:

CVE-2022-25510
CVE-2021-42635

Secrets should be stored outside of the source code in a configuration file or a management service for secrets.

This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.

Ask Yourself Whether

The secret allows access to a sensitive component like a database, a file storage, an API, or a service.
The secret is used in a production environment.
Application re-distribution is required before updating the secret.

There would be a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Store the secret in a configuration file that is not pushed to the code repository.
Use your cloud provider’s service for managing secrets.
If a secret has been disclosed through the source code: revoke it and create a new one.

Sensitive Code Example

private val MY_SECRET = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37"

fun main() {
  MyClass.callMyService(MY_SECRET)
}

Compliant Solution

Using AWS Secrets Manager:

import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;

fun main() {
  SecretsManagerClient secretsClient = ...
  MyClass.doSomething(secretsClient, "MY_SERVICE_SECRET")
}

fun doSomething(secretsClient: SecretsManagerClient, secretName: String) {
  val valueRequest = GetSecretValueRequest.builder()
    .secretId(secretName)
    .build()

  val valueResponse = secretsClient.getSecretValue(valueRequest)
  val secret = valueResponse.secretString()
  // do something with the secret
  MyClass.callMyService(secret)
}

Using Azure Key Vault Secret:

import com.azure.identity.DefaultAzureCredentialBuilder;

import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;

fun main() {
  val keyVaultName = System.getenv("KEY_VAULT_NAME")
  val keyVaultUri = "https://$keyVaultName.vault.azure.net"

  val secretClient = SecretClientBuilder()
    .vaultUrl(keyVaultUri)
    .credential(DefaultAzureCredentialBuilder().build())
    .buildClient()

  MyClass.doSomething(secretClient, "MY_SERVICE_SECRET")
}

fun doSomething(secretClient: SecretClent, secretName: String) {
  val retrievedSecret = secretClient.getSecret(secretName)
  val secret = retrievedSecret.getValue()

  // do something with the secret
  MyClass.callMyService(secret)
}

See

OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
OWASP - Top 10 2017 Category A2 - Broken Authentication
CWE - CWE-798 - Use of Hard-coded Credentials
OWASP - Mobile Top 10 2024 Category M1 - Improper Credential Usage
MSC - MSC03-J - Never hard code sensitive information

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted