TL;DR overview
- Sonar's secrets detection CLI beta brings hardcoded credential scanning directly to the developer's local environment, enabling detection of exposed API keys, tokens, and passwords before code is committed to any repository.
- The CLI tool integrates with existing developer workflows via pre-commit hooks or manual invocation, providing a shift-left layer that catches secrets even earlier than IDE plugins—at the file system level before staging.
- Supporting over 400 secret patterns across 248 cloud services, the CLI covers a broad range of credentials including AWS keys, GitHub tokens, database passwords, and custom organization-defined patterns.
- Teams not yet using SonarQube Server or SonarQube Cloud can use the CLI as a standalone entry point for secrets detection, with a straightforward upgrade path to full SonarQube analysis as their needs grow.
In the modern development landscape, a single leaked credential can dismantle years of built trust. According to the Verizon Data Breach Investigations Report, it takes a median of 94 days for organizations to remediate leaked secrets. In an era where a breach can happen in milliseconds, nearly three months of exposure is an unacceptable systemic risk. Catching secrets at the source—before they ever reach your version control system—is the only way to prevent a localized mistake from becoming a persistent security liability. Once a secret is committed to a repository, it is functionally compromised. Even if you delete the file or overwrite the line, the secret remains in the Git history, accessible to anyone with repository access.
For enterprises, the "cost of a leak" scales exponentially the longer it remains undetected. It isn't just about the immediate risk of unauthorized access; it's about the massive operational toil required to rotate keys, invalidate tokens, audit logs for misuse, and potentially notify regulatory bodies.
That is why we are excited to announce the open beta of SonarQube CLI. It transforms this workflow by moving security from the end of the pipeline directly into the developer's agentic workflow. The headline feature of this release is Sonar’s AI-native secrets protection—the ultra-fast, high-precision secrets detection hook as part of the SonarQube CLI.
The rise of the "automated leak"
In a traditional workflow, a secret leak usually resulted from a human error, such as a developer accidentally committing a .env file to GitHub. However, in the world of the agentic-centric development cycle coding tools such as Claude Code and Cursor can introduce a dangerous new backdoor for sensitive data. Because these agents function by scanning your local environment to build context, they can inadvertently ingest active session tokens, API keys, or database credentials and send them directly to an LLM provider’s servers as part of the prompt history.
This creates a "silent leak" scenario. You might copy-paste a block of code into a prompt to debug it, forgetting that a hardcoded token is buried in the logic. This creates a challenge where the speed of generation can outpace the security of the workflow.
LLM gateways and persistent risk
This risk is further compounded by the rapid adoption of LLM gateways (such as Portkey, Helicone, or LiteLLM). Enterprises use these platforms to manage costs and provide a unified API layer. However, if an agent sends an unscrubbed secret in a prompt, that secret is now persisted in the gateway’s request logs—often in plain text. Once a token hits these logs, it is no longer just a local mistake; it is an enterprise liability. To build software you can trust, organizations must implement independent, automated verification that catches these secrets before they escape the local environment.
SonarQube CLI: Built for the agent-centric development
Today, the workflow is often fragmented and reactive. To secure code, developers typically rely on CI/CD pipelines to catch issues. However, by the time the code reaches the pipeline, the silent leak to an LLM provider has already happened. The shift toward the agent-centric development cycle only amplifies these challenges. When agents are autonomously writing or refactoring code at scale, the volume of "silent leaks" grows exponentially. Agents don't just write code; they ingest environment context, read log files, and transmit data to external LLMs at a pace no human can manually audit. Standard tools often fail in an agentic environment because they are too slow or too noisy; if a scanner takes five seconds to analyze a file, it breaks the "flow" of the agent. Without an ultra-fast verification layer, organizations face an accountability crisis: the speed of agentic innovation begins to outpace the ability to verify its safety.
With Sonar’s AI-native secrets protection we have optimized our engine for agentic workflows rather than just rigid compliance checks. To integrate this directly into your agentic workflow and stop "automated leaks" at the source, you can configure coding agents, such as Claude Code, to use SonarQube as a mandatory verification step. By adding a pre-capture hook, SonarQube CLI scans every code snippet the agent produces in real time—achieving sub-100ms latency—to ensure that no session tokens or API keys are ever sent to the LLM provider. Key benefits for this approach:
- High precision: Our secret detection features a false positive rate of less than 5%, ensuring work is only interrupted when there is a genuine risk.
- Extreme speed: Based on our internal testing, we observed an average processing speed of 100ms per file in environments like Claude Code. This ensures your agent remains unhindered while your secrets stay local.
The launch of the SonarQube CLI creates a versatile, extensible foundation for the future of the Sonar ecosystem. By establishing a presence directly in the automation layer, we have opened a pipeline to deliver high-frequency, specialized "hooks" that address the evolving needs of the AI-native SDLC. Beyond secrets detection, this architecture allows us to release future capabilities as portable, ultra-fast modules. This evolution ensures that as your development workflows become more complex and agent-driven, Sonar is the high-precision verification layer that moves at the speed of your innovation.
You can secure your coding agents, such as Claude Code, workflow today by installing Sonar’s AI-native secrets detection CLI and integrating it directly with your environment. Start using the SonarQube CLI to make verification the default—whether code is written by developers, copilots, or agents.
Code you can trust in the era of agents
The SonarQube CLI’s "analyze secrets” capability provides an ultra-fast verification layer that moves at the speed of AI-driven development. By launching high-precision hooks for the SonarQube CLI, we are delivering the initial installment of a roadmap built to hardcode integrity into every stage of your innovation
Secure your workflow today
Don't let your secrets become enterprise liabilities. Stop automated leaks and start verifying your AI-generated code with the SonarQube CLI.
