SONARTEXT-819 Create rule S6418: Secrets should not be hard-coded

rules/S6418/secrets/metadata.json

@@ -0,0 +1,11 @@
+{
+    "title": "Secrets should not be hard-coded",
+    "type": "VULNERABILITY",
+    "quickfix": "infeasible",
+    "code": {
+    "impacts": {
+        "SECURITY": "LOW"
+    },
+        "attribute": "TRUSTWORTHY"
+    }
+}

rules/S6418/secrets/rule.adoc

@@ -0,0 +1,34 @@
+== Why is this an issue?
+
+Hard-coding secrets in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or open-source applications. This practice exposes credentials and tokens, increasing the risk of unauthorized access and data breaches.
+
+This rule detects strings that look like secrets being hard-coded in the source code.
+
+== How to fix it
+
+Secrets should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider's secrets management service. If a secret is exposed in the source code, it must be rotated immediately.
+
+
+=== Code Examples
+
+==== Noncompliant Code Example
+
+[source,properties,diff-id=1,diff-type=noncompliant]
+----
+api_key=iN1KtmV2xIgdtOs1la7ugo1Pt7gLDjykprJsTELMuULRJQrlBoftwZn92Redve5k // Noncompliant
+----
+
+==== Compliant Solution
+
+Use placeholders that will be replaced by the actual secret buy the build system or framework, environment variables or a secrets management service in order to not hard-code secrets in the source code.
+
+[source,properties,diff-id=1,diff-type=compliant]
+----
+api_key=${MY_API_KEY}
+----
+
+== Resources
+
+* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
+* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials]