> For the complete documentation index, see [llms.txt](https://docs.sonarsource.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sonarsource.com/agent-centric-development-cycle/developer-tools/agent-plugins/antigravity.md).

# Antigravity

The SonarQube plugin for Antigravity connects your AI coding agent to SonarQube's code quality and security data through the [About the MCP Server](/sonarqube-mcp-server/about-the-mcp-server.md). SonarQube does the analysis; Antigravity calls the MCP tools and acts on the results. Once installed and configured, Antigravity can run SonarQube analysis on your code, list and fix issues, check quality gates, inspect coverage and duplication, and run [Sonar Vortex: agentic analysis](/agent-centric-development-cycle/verify/sonar-vortex-agentic-analysis.md). The plugin also configures the SonarQube CLI to detect secrets, keeping credentials out of your prompts and the files the agent reads or writes.

The plugin works with SonarQube Cloud or SonarQube Server.

## Features

The plugin gives Antigravity access to the full set of [Tools](/sonarqube-mcp-server/reference/tools.md) exposed by the SonarQube MCP Server, including:

* Code analysis: analyze code snippets and files in the agent context.
* Issues: search, review, and update code issues.
* Quality gates: check the quality gate status for a project.
* Security hotspots: search and review security hotspots.
* Coverage: find under-covered files and review line-by-line coverage.
* Dependencies: check third-party dependencies for SCA issues.

Through the SonarQube CLI integration it sets up, the plugin also adds:

* Secrets detection: a hook that blocks file reads exposing secrets, plus managed instructions that warn the agent before it sends a prompt containing a secret.
* Agentic analysis (SonarQube Cloud only, project-level installs): instructions that tell Antigravity to verify the files it edits.
* Context augmentation (SonarQube Cloud only, project-level installs): a skill that tells Antigravity to pull project guidelines before editing code, check dependencies before changing a manifest, and use SonarQube's architecture and semantic-navigation context as it works.

## Prerequisites

* A SonarQube Cloud organization or SonarQube Server instance.
* [Antigravity](https://antigravity.google/) installed.
* The SonarQube CLI installed. The plugin's MCP Server uses your `sonar auth login` session.
* A container runtime (Docker, Podman, or nerdctl) to run the SonarQube MCP Server image.

## Install

The SonarQube plugin is distributed from the [SonarSource/sonarqube-agent-plugins](https://github.com/SonarSource/sonarqube-agent-plugins) repository. There is no `@vendor` marketplace shorthand—install via a git URL, archive, or local path.

From your shell, run:

```bash
agy plugin install https://github.com/SonarSource/sonarqube-agent-plugins
```

This installs the plugin globally under `~/.gemini/config/plugins/sonarqube/`. To install it for a single workspace only, copy the plugin files into `<YourProjectRoot>/.agents/plugins/sonarqube/` instead.

## Configuration

After installing the plugin, finish setup by running the guided integration skill:

```
/sonarqube:sonar-integrate
```

The skill does the following:

1. Install the SonarQube CLI if not already present, or update it with `sonar self-update`.
2. Authenticate with SonarQube Cloud or your SonarQube Server instance via `sonar auth login`. Your browser opens to complete login; the token is stored in your system keychain.
3. Run `sonar integrate antigravity`, which prompts you to install each component: the secrets-detection hook, the prompt-secrets instructions, the SonarQube MCP Server, and, for SonarQube Cloud project installs, the agentic analysis instructions and context augmentation skill.

Restart the Antigravity session after setup if MCP tools don't appear.

> **Important:** `--project` and `--global` are mutually exclusive. Passing both causes the command to fail with an "invalid options" error (exit code `2`).

## Sonar Vortex: agentic analysis and context augmentation features

When you run `sonar integrate antigravity`, the command configures Antigravity to use the [Sonar Vortex: agentic analysis](/agent-centric-development-cycle/verify/sonar-vortex-agentic-analysis.md) and [Sonar Vortex: context augmentation](/agent-centric-development-cycle/guide/sonar-vortex-context-augmentation.md) features. Both run through the SonarQube CLI:

* Agentic analysis: instructions tell Antigravity to check the files it edits and return any findings in its response. Unlike the Claude Code and Codex hooks, Antigravity can't inject findings back into the conversation.
* Context augmentation: gives Antigravity your project's coding guidelines, dependency health, architecture, and semantic-navigation context as it works.

Both features are project-scoped and skipped on a global install. Run `sonar integrate antigravity --project <YourProjectKey>` from a project directory to install them, or pass `--skip-context` to opt out of context augmentation.

To enable these features and configure Antigravity to use them effectively, see [Make your agent verify its code](/agent-centric-development-cycle/verify/how-to-guides/make-your-agent-verify-its-code.md).

## Migrate from Gemini CLI

Antigravity replaces Gemini CLI. If you previously used the SonarQube Gemini extension, migrate your platform configuration first, then run:

```bash
agy plugin import gemini       # converts legacy extensions and MCP config to native Antigravity format
sonar integrate antigravity    # adds hooks, instructions, and CAG (new vs. Gemini)
```

`agy plugin import gemini` scans your existing Gemini directories and migrates the SonarQube MCP entry into `mcp_config.json`. After verifying Antigravity works, remove any duplicate legacy extension install if the import created a copy.

For a fresh install on a machine that never had Gemini, use the steps in [Install](#install) and [Configuration](#configuration) above.

## Verify that it works

### Test the secrets hook

1. Create a file with a fake-looking but secret-shaped value:

   ```javascript
   // secrets.js
   const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13";
   ```
2. Ask Antigravity to read it: *"Read secrets.js."*
3. Antigravity should block the read and explain that the file contains a secret.

Once you've confirmed the hook is active, delete the test file.

Run `sonar system status` to confirm the Antigravity integration reports **Secrets Hook: CONFIGURED**. If the hook entry exists but the backing script is missing or malformed, status shows **CONFIGURED / INVALID CONFIG** and recommends re-running `sonar integrate antigravity`.

### Test the MCP server

In Antigravity, ask: *"List my SonarQube projects."* Antigravity should call the SonarQube MCP server and return your project list. If it doesn't, run `sonar auth status` to confirm the underlying token is healthy and restart the session.

### Test agentic analysis (SonarQube Cloud only)

Make a code change through Antigravity, for example ask it to edit a file. After Antigravity applies the change, it should run `sonar analyze agentic` and surface any new findings. This requires SonarQube Cloud and the agentic analysis entitlement on your organization.

### Test context augmentation (SonarQube Cloud only)

Ask Antigravity: *"What is the current architecture of the project? Limit the answer to the top-level blocks."* Antigravity uses the context augmentation skill to retrieve the current architecture and presents a high-level overview of the project. This requires SonarQube Cloud and a project-level install.

## Non-interactive install

For provisioning scripts and onboarding automation, skip the interactive skill and run the SonarQube CLI directly:

```bash
sonar integrate antigravity --global --non-interactive
```

In non-interactive mode the CLI doesn't prompt. A `--global` install wires up the SonarQube MCP Server, the secrets-detection hook, and the prompt-secrets instructions, but skips the project-scoped agentic analysis instructions and context augmentation skill. When you authenticate with [Environment variables](/sonarqube-cli/using-sonarqube-cli/environment-variables.md), integrate commands also run in non-interactive mode even without the flag. Run `sonar auth status` afterward to confirm the integration is wired up. See [Google Antigravity](/sonarqube-cli/integrations/antigravity.md) in the SonarQube CLI docs for full details.

## Usage

After setup, invoke SonarQube skills in Antigravity using slash commands or natural language. Both options are shown for each skill.

### List projects

```
/sonarqube:sonar-list-projects                    # all accessible projects
/sonarqube:sonar-list-projects my-project         # search by name or key
```

Or in natural language:

* "List my SonarQube projects."
* "Search for projects with `auth` in the name."

### List issues

```
/sonarqube:sonar-list-issues                                        # issues in the current project
/sonarqube:sonar-list-issues my-project --severity CRITICAL
```

Or in natural language:

* "List the issues in `my-project`."
* "Show me critical issues in `my-project`."
* "Search issues in `my-project` on branch `main`."

### Fix an issue

```
/sonarqube:sonar-fix-issue java:S1481 src/main/java/MyClass.java
/sonarqube:sonar-fix-issue python:S2077 src/auth/login.py:34
```

Or in natural language:

* "Fix the issue `java:S1481` in `src/main/java/MyClass.java`."
* "Help me fix `python:S2077` on line 34 of `src/auth/login.py`."

### Quality gate

```
/sonarqube:sonar-quality-gate
/sonarqube:sonar-quality-gate my-project --branch main
```

Or in natural language:

* "Check the quality gate status for `my-project`."
* "Show me the quality gate for `my-project` on pull request 42."

### Analyze a file

```
/sonarqube:sonar-analyze
/sonarqube:sonar-analyze src/auth/login.py
```

Or in natural language:

* "Analyze `src/auth/login.py` for code quality and security issues."
* "Run analysis on the current file."

### Coverage

```
/sonarqube:sonar-coverage
/sonarqube:sonar-coverage my-project --max 50
/sonarqube:sonar-coverage my-project --file src/auth/login.py
```

Or in natural language:

* "What files in `my-project` have less than 50% coverage?"
* "Show me line-by-line coverage for `src/auth/login.py`."

### Duplication

```
/sonarqube:sonar-duplication
/sonarqube:sonar-duplication my-project --pr 42
/sonarqube:sonar-duplication my-project --file src/auth/login.py
```

Or in natural language:

* "Find duplicated files in `my-project`."
* "Show duplications in `my-project` on pull request 42."

### Dependency risks

Dependency risks require SonarQube Advanced Security.

```
/sonarqube:sonar-dependency-risks
/sonarqube:sonar-dependency-risks my-project --pr 42
```

Or in natural language:

* "List dependency risks in `my-project`."
* "Show me SCA issues on pull request 42."

### Security hotspots

Access security hotspots through the same `sonar-list-issues` skill:

```
/sonarqube:sonar-list-issues my-project
```

Or in natural language:

* "Search security hotspots in `my-project`."
* "Show hotspots in `my-project` that are still to review."

## Uninstall

To remove the SonarQube plugin from Antigravity, run:

```bash
agy plugin uninstall sonarqube
```

Uninstalling the plugin removes the skills, rules, and MCP wiring it registered. To also remove the underlying CLI integration files written by `sonar integrate antigravity` (the secrets-detection hook, prompt-secrets instructions, agentic analysis instructions, and context augmentation skill), see [Google Antigravity](/sonarqube-cli/integrations/antigravity.md) in the SonarQube CLI docs.

## Related pages

* [Google Antigravity](/sonarqube-cli/integrations/antigravity.md)
* [Antigravity](/sonarqube-mcp-server/setup/quickstart-guides/antigravity.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.sonarsource.com/agent-centric-development-cycle/developer-tools/agent-plugins/antigravity.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
