# Secrets scanning {% hint style="warning" %} This product is in Beta stage and breaking changes may be released. The documentation here matches the release version listed in the table of contents. {% endhint %} Use the SonarQube CLI secrets scanning features for any of these scenarios: * You want to prevent secrets from leaking during your AI-assisted coding sessions.\ Use `sonar integrate claude` to install hooks that run automatically when Claude Code reads or writes files. * You want to make sure you can't commit or push any file that contains a secret.\ Use `sonar integrate git` to install a Git hook that automatically scans files before each commit or push. * You want to scan a specific file or snippet to check whether it contains a secret.\ Use `sonar analyze secrets` for on-demand checks from the terminal or in scripts. ## Prerequisites The SonarQube CLI is installed and authenticated. Follow the [Quickstart guide](/sonarqube-cli/quickstart-guide.md) if you haven't done this yet. ## Set up the Claude Code hook The `sonar integrate claude` command installs secrets-scanning hooks that run before Claude reads or writes files. Once set up, Claude Code automatically blocks operations that would expose secrets. The command also configures [Broken mention](broken://spaces/B4UT2GNiZKjtxFtcFAL7/pages/qgppt3o9gx8Tnf8MWstN) on SonarQube Cloud. ### Run the setup command Run `sonar integrate claude` inside your project directory to install hooks. ```bash sonar integrate claude --non-interactive ``` To install hooks globally (available across all your projects): ```bash sonar integrate claude --global --non-interactive ``` ### Reload Claude Code Restart Claude Code for the hooks to take effect. ### Test the hook To verify the hook is working: 1. Create a file containing a fake API key, for example: ```javascript // secrets.js const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13"; ``` 2. Ask Claude to read the file, for example: "Read secrets.js". Claude Code should block the operation and report that the file contains a secret. You can delete the test file once you've confirmed the hook is active. ## Set up a Git repository hook `sonar integrate git` installs a Git hook that calls `sonar analyze secrets` automatically. No additional tooling is needed. ### Install a pre-commit hook Install a pre-commit hook in your repository. `sonar analyze secrets` runs on staged files before every commit and blocks the commit if a secret is found: ```bash sonar integrate git ``` ### Install a pre-push hook To scan files changed in unpushed commits before each push instead: ```bash sonar integrate git --hook pre-push ``` ### Install hooks globally Use `--global` to set hooks for all your repositories at once: ```bash sonar integrate git --global ``` Install a pre-push hook globally in non-interactive mode: ```bash sonar integrate git --hook pre-push --global --non-interactive ``` ### Overwrite an existing hook If a hook already exists in the target location and was not installed by `sonar integrate git`, use `--force` to overwrite it: ```bash sonar integrate git --force ``` ### Test the hook To verify the hook is working: 1. Create a file containing a fake API key, for example: ```javascript // secrets.js const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13"; ``` 2. Stage and commit the file: ```bash git add secrets.js git commit -m "Test secrets hook" ``` The hook will block the commit and report that the file contains a secret. You can delete the test file once you've confirmed the hook is active. ## Scanning a specific file or snippet for secrets Use `sonar analyze secrets` to check a file or snippet on demand, for example before adding a configuration file to source control or verifying a `.env` file. Scan a single file: ```bash sonar analyze secrets path/to/file.ext ``` Scan multiple files or directories: ```bash sonar analyze secrets src/config.ts src/secrets/ ``` Scan stdin for hardcoded secrets: ```bash cat .env | sonar analyze secrets --stdin ``` The command exits with a non-zero exit code when secrets are found, so it can be used in scripts or CI pipelines to fail a step automatically. ## Related pages * [Commands](/sonarqube-cli/using/commands.md) * [Quickstart guide](/sonarqube-cli/quickstart-guide.md) ## Feedback Share feedback about false positives, crashes, or other issues on the [community forum](https://community.sonarsource.com/tag/secrets). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sonarsource.com/sonarqube-cli/using/secrets-scanning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.