Claude Code

Beta: The SonarQube agent plugin is in beta. Breaking changes may occur.

The SonarQube plugin for Claude Code connects your AI coding agent to SonarQube's code quality and security data. Once installed and configured, Claude Code can analyze code, list and fix issues, check quality gates, inspect coverage and duplication, and run Agentic Analysis through the . The plugin's secrets-detection capabilities keep credentials out of your prompts and the files the agent reads or writes.

The plugin works with SonarQube Cloud or SonarQube Server.

Features

• Fix specific code quality issues by rule key and location.

• Search and filter issues in your SonarQube project.

• List accessible SonarQube projects to find project keys.

• Run quality gate, coverage, duplication, snippet analysis, and dependency risk checks via the SonarQube MCP Server.

• Detect secrets using hooks that run before the agent executes a tool or receives a prompt, keeping secrets out of its context.

• Check on startup whether the SonarQube CLI is present and the integration is configured.

Prerequisites

• A SonarQube Cloud organization or SonarQube Server instance.

• Node.js, required to run the SessionStart hook.

• A container runtime (Docker, Podman, or nerdctl) to run the SonarQube MCP Server image.

Install

Install the SonarQube plugin from the claude-plugins-official marketplace:

• From your shell, run claude plugin install sonarqube@claude-plugins-official.

• Or inside Claude Code, run /plugin install sonarqube@claude-plugins-official.

Then reload SonarQube's skills and hooks in Claude Code:

• Either restart Claude Code, or

• Run /reload-plugins if your version supports it.

Configuration

After installing the plugin, finish setup by running the guided integration skill:

The skill does the following:

1. Install the SonarQube CLI if not already present, or update it with sonar self-update.

2. Authenticate with SonarQube Cloud or your SonarQube Server instance via sonar auth login. Your browser opens to complete login; the token is stored in your system keychain.

3. Run sonar integrate claude to register the SonarQube MCP Server, secrets-detection hooks, and other Claude Code integration on your machine.

Agentic Analysis and Context Augmentation

The Claude Code plugin sets up Agentic Analysis hooks automatically when you run /sonarqube:sonar-integrate. After integration, Claude Code verifies code changes against SonarQube Cloud after edits, with no further setup required.

For overviews of these features, see Agentic Analysis and Context Augmentation.

For detailed setup and operational directives, see Make your agent verify its code.

Verify that it works

Test the secrets hook

1. Create a file with a fake-looking but secret-shaped value:

2. Ask Claude to read it: "Read secrets.js."

3. Claude Code should block the read and explain that the file contains a secret.

Once you've confirmed the hook is active, delete the test file.

Test the MCP server

In Claude Code, ask: "Use the SonarQube MCP server to list my open projects." Claude should call SonarQube and return your project list. If it doesn't, run sonar auth status to confirm the underlying token is healthy and restart Claude.

Test Agentic Analysis (SonarQube Cloud only)

In Claude Code, ask: "Run sonar verify --staged and summarize new issues." Claude should invoke the CLI and report findings. This requires SonarQube Cloud and the Agentic Analysis entitlement on your organization.

Non-interactive install

For provisioning scripts and onboarding automation, skip the interactive skill and run the SonarQube CLI directly:

In non-interactive mode the CLI does not prompt for confirmation or token repair. Run sonar auth status afterward to confirm the integration is wired up. See Claude Code in the SonarQube CLI docs for full details.

Usage

After setup, invoke SonarQube skills in Claude Code using explicit slash commands or natural language. Both options are shown for each skill.

List projects

Or in natural language:

• "List my SonarQube projects."

• "Search for projects with auth in the name."

List issues

Or in natural language:

• "List the issues in my-project."

• "Show me critical issues in my-project."

• "Search issues in my-project on branch main."

Fix an issue

Or in natural language:

• "Fix the issue java:S1481 in src/main/java/MyClass.java."

• "Help me fix python:S2077 on line 34 of src/auth/login.py."

Quality gate

Or in natural language:

• "Check the quality gate status for my-project."

• "Show me the quality gate for my-project on pull request 42."

Analyze a file

Or in natural language:

• "Analyze src/auth/login.py for code quality and security issues."

• "Run analysis on the current file."

Coverage

Or in natural language:

• "What files in my-project have less than 50% coverage?"

• "Show me line-by-line coverage for src/auth/login.py."

Duplication

Or in natural language:

• "Find duplicated files in my-project."

• "Show duplications in my-project on pull request 42."

Dependency risks

Dependency risks require SonarQube Advanced Security.

Or in natural language:

• "List dependency risks in my-project."

• "Show me SCA issues on pull request 42."

Security hotspots

Access security hotspots through the same sonar-list-issues skill:

Or in natural language:

• "Search security hotspots in my-project."

• "Show hotspots in my-project that are still to review."

Uninstall

To remove the SonarQube plugin from Claude Code:

• From your shell, run claude plugin uninstall sonarqube.

• Or inside Claude Code, run /plugin to open the Manage plugins window and remove the SonarQube plugin.

Uninstalling the plugin removes the SonarQube skills and hooks the plugin registered. To also remove the underlying CLI integration files written by /sonarqube:sonar-integrate (the SonarQube MCP server entry, secrets-detection hook configuration, state record), see Uninstall on the SonarQube CLI integration page.

Related pages

• Claude Code