# Secrets scanning

> **Warning:** This product is in Beta stage and we may release breaking changes. The documentation here matches the release version listed in the table of contents.

Hardcoded credentials in source code are one of the most common — and most preventable — security incidents. The SonarQube CLI ships secrets scanning in three forms, each tuned for a different moment in the developer workflow:

* **Ad-hoc:** `sonar analyze secrets` scans files or stdin from your terminal or a script.
* **Git layer:** `sonar integrate git` installs a hook that blocks commits or pushes containing secrets.
* **AI agent layer:** `sonar integrate claude` installs a `UserPromptSubmit` hook (scans the prompt you send to Claude) and a `PreToolUse` hook (runs before file reads/writes). `sonar integrate copilot` installs a pre-tool-use hook. Both integrations block any operation that would expose a secret.

You can use any combination of the three.

## Prerequisites

* [The SonarQube CLI is installed and authenticated](/sonarqube-cli/quickstart-guide.md).

Secrets scanning runs **locally** on your machine. No code leaves your machine for the scan itself.

## Scan on demand

`sonar analyze secrets` reads files (or standard input) and reports any hardcoded credentials it finds. Use it to check a file before committing, audit an `.env` file, or run as part of a CI step.

### Scan a single file

```bash
sonar analyze secrets src/config.ts
```

### Scan multiple paths or a directory

```bash
sonar analyze secrets src/ infra/
```

### Scan from standard input

```bash
cat .env | sonar analyze secrets --stdin
```

### Use in a script

The command exits with code `51` when it finds secrets and `0` when it finds none. Wire it into any pipeline:

```bash
sonar analyze secrets .
if [ $? -eq 51 ]; then
  echo "Secrets found — failing the build."
  exit 1
fi
```

See [Exit codes](/sonarqube-cli/using-sonarqube-cli/exit-codes.md) for the full table.

## Block secrets at the Git layer

Install a Git hook so commits or pushes containing secrets are rejected before they reach a remote:

```bash
sonar integrate git --hook pre-commit
```

Pre-push hooks and global (machine-wide) installation are also supported. For setup, hook behavior with Husky and the pre-commit framework, and override options, see [Git hooks](/sonarqube-cli/integrations/git-hooks.md).

## Block secrets at the AI agent layer

When you give an AI coding assistant access to your repository, it can accidentally exfiltrate secrets by reading and including them in prompts sent to the model provider. The SonarQube CLI prevents this by installing a hook that runs **before** the agent reads or writes files.

* **Claude Code:** [Claude Code](/sonarqube-cli/integrations/claude-code.md)
* **GitHub Copilot:** [GitHub Copilot](/sonarqube-cli/integrations/github-copilot.md)

After installation, restart the agent. From then on, any attempt by the agent to access a file containing a secret is blocked, and the agent is told why.

## False positives and tuning

Secrets scanning is intentionally sensitive — missing a real credential is much worse than catching test fixtures. The analyzer already ignores obviously fake values, so most false positives come from test fixtures that look like real provider-issued credentials.

When that happens:

* **Keep realistic-looking test fixtures outside of source.** Move them into ignored files (`.env.test`) or fixture directories outside `src/`.
* **Use environment variables in tests** where possible, even when the value is a fake.

If you believe a finding is genuinely wrong, share it on the [community forum](https://community.sonarsource.com/tag/secrets) — we use these reports to tune detection.

## What the scanner looks for

Secrets scanning uses the same engine that powers SonarQube's server-side secret detection rules. It looks for patterns issued by major providers (AWS, GCP, GitHub, Stripe, SonarQube tokens, and many more) as well as generic high-entropy strings used in credential-shaped contexts.

## Feedback

Found a false positive, a crash, or a pattern that should be detected? Tell us on the [Sonar Community forum, secrets tag](https://community.sonarsource.com/tag/secrets).

## Related pages <a href="#related-pages" id="related-pages"></a>

* [Git hooks](/sonarqube-cli/integrations/git-hooks.md)
* [Claude Code](/sonarqube-cli/integrations/claude-code.md)
* [GitHub Copilot](/sonarqube-cli/integrations/github-copilot.md)
* [Exit codes](/sonarqube-cli/using-sonarqube-cli/exit-codes.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cli/analysis/secrets-scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.