# Secrets scanning {% hint style="warning" %} This product is in Beta stage and breaking changes may be released. The documentation here matches the release version listed in the table of contents. {% endhint %} Use the SonarQube CLI secrets scanning features for any of these scenarios: * You want to prevent secrets from leaking during your AI-assisted coding sessions.\ Use `sonar integrate claude` to install hooks that run automatically when Claude Code reads or writes files. * You want to make sure you can't commit or push any file that contains a secret.\ Use `sonar integrate git` to install a native Git hook that automatically scans files before each commit or push. * You want to scan a specific file or snippet to check whether it contains a secret.\ Use `sonar analyze secrets` for on-demand checks from the terminal or in scripts. ## Prerequisites The SonarQube CLI is installed and authenticated. Follow the [quickstart-guide](https://docs.sonarsource.com/sonarqube-cli/quickstart-guide "mention") if you haven't done this yet. ## Set up the Claude Code hook The `sonar integrate claude` command installs secrets-scanning hooks that run before Claude reads or writes files. Once set up, Claude Code automatically blocks operations that would expose secrets. ### Run the setup command Run `sonar integrate claude` inside your project directory to install hooks. ```bash sonar integrate claude --non-interactive ``` To install hooks globally (available across all your projects): ```bash sonar integrate claude --global --non-interactive ``` ### Reload Claude Code Restart Claude Code for the hooks to take effect. ### Test the hook To verify the hook is working: 1. Create a file containing a fake API key, for example: ```javascript // secrets.js const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13"; ``` 2. Ask Claude to read the file, for example: "Read secrets.js". Claude Code should block the operation and report that the file contains a secret. You can delete the test file once you've confirmed the hook is active. ## Set up a Git repository hook `sonar integrate git` installs a native Git hook that calls `sonar analyze secrets` automatically. No additional tooling is needed. ### Install a pre-commit hook Install a pre-commit hook in your repository. `sonar analyze secrets` runs on staged files before every commit and blocks the commit if a secret is found: ```bash sonar integrate git ``` ### Install a pre-push hook To scan files changed in unpushed commits before each push instead: ```bash sonar integrate git --hook pre-push ``` ### Install hooks globally Use `--global` to set hooks for all your repositories at once: ```bash sonar integrate git --global ``` Install a pre-push hook globally in non-interactive mode: ```bash sonar integrate git --hook pre-push --global --non-interactive ``` ### Overwrite an existing hook If a hook already exists in the target location and was not installed by `sonar integrate git`, use `--force` to overwrite it: ```bash sonar integrate git --force ``` ### Test the hook To verify the hook is working: 1. Create a file containing a fake API key, for example: ```javascript // secrets.js const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13"; ``` 2. Stage and commit the file: ```bash git add secrets.js git commit -m "Test secrets hook" ``` The hook will block the commit and report that the file contains a secret. You can delete the test file once you've confirmed the hook is active. ## Scanning a specific file or snippet for secrets Use `sonar analyze secrets` to check a file or snippet on demand, for example before adding a configuration file to source control or verifying a `.env` file. Scan a single file: ```bash sonar analyze secrets path/to/file.ext ``` Scan multiple files or directories: ```bash sonar analyze secrets src/config.ts src/secrets/ ``` Scan stdin for hardcoded secrets: ```bash cat .env | sonar analyze secrets --stdin ``` The command exits with a non-zero exit code when secrets are found, so it can be used in scripts or CI pipelines to fail a step automatically. ## Related pages * [commands](https://docs.sonarsource.com/sonarqube-cli/using/commands "mention") * [quickstart-guide](https://docs.sonarsource.com/sonarqube-cli/quickstart-guide "mention") ## Feedback Share feedback about false positives, crashes, or other issues on the [community forum](https://community.sonarsource.com/tag/secrets).