> For the complete documentation index, see [llms.txt](https://docs.sonarsource.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sonarsource.com/agent-centric-development-cycle/developer-tools/agent-plugins/cursor.md). # Cursor The SonarQube plugin for Cursor connects your AI coding agent to SonarQube's code quality and security data through the [About the MCP Server](/sonarqube-mcp-server/about-the-mcp-server.md). SonarQube does the analysis; Cursor calls the MCP tools and acts on the results. Once installed and configured, Cursor's agent can run SonarQube analysis on your code, list and fix issues, check quality gates, inspect coverage and duplication, and review dependency risks. Running `sonar integrate cursor` after the plugin install adds secrets detection, Agentic Analysis, and Context Augmentation. The plugin works with SonarQube Cloud or SonarQube Server. You can use the plugin from the Cursor IDE, the Cursor CLI, and the Cursor Agent Window. ## Features The plugin gives Cursor's agent access to the full set of [Tools](/sonarqube-mcp-server/reference/tools.md) exposed by the SonarQube MCP Server, including: * Code analysis: analyze code snippets and files in the agent context. * Issues: search, review, and update code issues. * Quality gates: check the quality gate status for a project. * Security hotspots: search and review security hotspots. * Coverage: find under-covered files and review line-by-line coverage. * Dependencies: check third-party dependencies for SCA issues. Through the SonarQube CLI integration set up by `sonar integrate cursor`, the plugin also adds: * Secrets detection: three hooks (`preToolUse`, `beforeReadFile`, and `beforeSubmitPrompt`) that block operations exposing secrets, keeping credentials out of files the agent reads and out of prompts sent to Cursor. * Agentic Analysis (SonarQube Cloud only, project-level installs): an always-applied Cursor rule that instructs Cursor to run `sonar analyze agentic` on the git change set after edits. It also adds SonarQube skills that you can invoke as slash commands in Cursor's chat. See [Usage](#usage). ## Prerequisites * A SonarQube Cloud organization or SonarQube Server instance. * [Cursor](https://cursor.com/) installed. * The SonarQube CLI installed. The plugin's MCP Server uses your `sonar auth login` session. * A container runtime (Docker, Podman, or nerdctl) to run the SonarQube MCP Server image. ## Install The SonarQube plugin is published in the `sonar` marketplace catalog on the [Cursor marketplace](https://cursor.com/marketplace/sonarsource), sourced from the [SonarSource/sonarqube-agent-plugins](https://github.com/SonarSource/sonarqube-agent-plugins) repository. In Cursor's chat, install the plugin: ``` /add-plugin sonarqube ``` You can also install it from Cursor's marketplace panel. For more on plugin marketplaces and installation, see Cursor's [Plugins documentation](https://cursor.com/docs/plugins). ## Configuration After installing the plugin, finish setup in two steps. ### Step 1 — Authenticate Log in so the MCP Server can connect: ```bash sonar auth login ``` Use the command for your scenario: | Scenario | Command | | -------------------- | ------------------------------------------------------------------- | | SonarQube Cloud (EU) | `sonar auth login -o ` | | SonarQube Cloud (US) | `sonar auth login -o -s https://sonarqube.us` | | SonarQube Server | `sonar auth login -s ` | Your browser opens to complete login, and the token is stored in your system keychain. Check your authentication anytime with `sonar auth status`. ### Step 2 — Install secrets hooks, Agentic Analysis, and Context Augmentation Run the integration command from your project directory: ```bash sonar integrate cursor ``` In an interactive terminal, the command prompts you to install each component: secrets-detection hooks, the SonarQube MCP server configuration, and, for SonarQube Cloud project installs, the Agentic Analysis rule and the Context Augmentation skill. Use `--global` to install the secrets hooks for all projects on your machine: ```bash sonar integrate cursor --global ``` > **Note:** Cursor's cloud and background agents only pick up project-level hooks, not global ones. A global install wires up the secrets hooks and skips Agentic Analysis and Context Augmentation. ## Agentic Analysis and Context Augmentation When you run `sonar integrate cursor` against a SonarQube Cloud project, the command installs an always-applied Cursor rule that tells Cursor to run `sonar analyze agentic` on the git change set after edits, and a [Context Augmentation](/agent-centric-development-cycle/guide/context-augmentation.md) skill so Cursor can pull project guidelines, architecture, semantic navigation, and dependency context as it works. Both features are project-scoped and skipped on a global install. For overviews of these features, see [Agentic Analysis](/agent-centric-development-cycle/verify/agentic-analysis.md) and [Context Augmentation](/agent-centric-development-cycle/guide/context-augmentation.md). To enable these features and configure Cursor to use them effectively, see [Make your agent verify its code](/agent-centric-development-cycle/verify/how-to-guides/make-your-agent-verify-its-code.md). ## Verify that it works ### Test the secrets hook 1. Create a file with a fake-looking but secret-shaped value: ```javascript // secrets.js const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13"; ``` 2. Ask Cursor's agent to read it: *"Read secrets.js."* 3. Cursor should block the read and explain that the file contains a secret. Once you've confirmed the hook is active, delete the test file. ### Test the MCP server In Cursor's chat, ask: *"List my SonarQube projects."* Cursor should call the SonarQube MCP server and return your project list. If it doesn't, open Cursor Settings → MCP, confirm the sonarqube entry is enabled, then run `sonar auth status` to confirm the underlying token is healthy and restart Cursor. ### Test Agentic Analysis (SonarQube Cloud only) Make a code change through Cursor's agent, for example ask it to edit a file. After Cursor applies the change, it should run Agentic Analysis and surface any new findings. This requires SonarQube Cloud and the Agentic Analysis entitlement on your organization. ## Non-interactive install For provisioning scripts and onboarding automation, skip the interactive prompts and run the SonarQube CLI directly: ```bash sonar integrate cursor --global --non-interactive ``` In non-interactive mode the CLI does not prompt. A `--global` install wires up the SonarQube MCP Server and the secrets-detection hooks, but skips the project-scoped Agentic Analysis rule and Context Augmentation skill. Run `sonar auth status` afterward to confirm the integration is wired up. See [Cursor](/sonarqube-cli/integrations/cursor.md) in the SonarQube CLI docs for full details. ## Usage After setup, invoke SonarQube skills in Cursor using slash commands or natural language. Both options are shown for each skill. ### List projects ``` /sonar-list-projects # all accessible projects /sonar-list-projects my-project # search by name or key ``` Or in natural language: * "List my SonarQube projects." * "Search for projects with `auth` in the name." ### List issues ``` /sonar-list-issues # issues in the current project /sonar-list-issues my-project --severity CRITICAL ``` Or in natural language: * "List the issues in `my-project`." * "Show me critical issues in `my-project`." * "Search issues in `my-project` on branch `main`." ### Fix an issue ``` /sonar-fix-issue java:S1481 src/main/java/MyClass.java /sonar-fix-issue python:S2077 src/auth/login.py:34 ``` Or in natural language: * "Fix the issue `java:S1481` in `src/main/java/MyClass.java`." * "Help me fix `python:S2077` on line 34 of `src/auth/login.py`." ### Quality gate ``` /sonar-quality-gate /sonar-quality-gate my-project --branch main ``` Or in natural language: * "Check the quality gate status for `my-project`." * "Show me the quality gate for `my-project` on pull request 42." ### Analyze a file ``` /sonar-analyze /sonar-analyze src/auth/login.py ``` Or in natural language: * "Analyze `src/auth/login.py` for code quality and security issues." * "Run analysis on the current file." ### Coverage ``` /sonar-coverage /sonar-coverage my-project --max 50 /sonar-coverage my-project --file src/auth/login.py ``` Or in natural language: * "What files in `my-project` have less than 50% coverage?" * "Show me line-by-line coverage for `src/auth/login.py`." ### Duplication ``` /sonar-duplication /sonar-duplication my-project --pr 42 /sonar-duplication my-project --file src/auth/login.py ``` Or in natural language: * "Find duplicated files in `my-project`." * "Show duplications in `my-project` on pull request 42." ### Dependency risks Dependency risks require SonarQube Advanced Security. ``` /sonar-dependency-risks /sonar-dependency-risks my-project --pr 42 ``` Or in natural language: * "List dependency risks in `my-project`." * "Show me SCA issues on pull request 42." ### Security hotspots Access security hotspots through the same `sonar-list-issues` skill: ``` /sonar-list-issues my-project ``` Or in natural language: * "Search security hotspots in `my-project`." * "Show hotspots in `my-project` that are still to review." For the full reference of what the agent can call, see the [Tools](/sonarqube-mcp-server/reference/tools.md) page. ## Manual MCP setup If you prefer to configure the MCP Server directly in Cursor's `mcp.json` instead of installing the plugin, for example to use HTTPS transport or the SonarQube Cloud-hosted server, see the [Cursor](/sonarqube-mcp-server/setup/quickstart-guides/cursor.md). ## Uninstall To remove the SonarQube plugin from Cursor, open Cursor's plugins panel and remove the SonarQube plugin. For details, see Cursor's [Plugins documentation](https://cursor.com/docs/plugins). Uninstalling the plugin removes the skills and MCP wiring it registered. To also remove the underlying CLI integration files written by `sonar integrate cursor` (the secrets-detection hooks, Agentic Analysis rule, and Context Augmentation skill), see [Cursor](/sonarqube-cli/integrations/cursor.md) in the SonarQube CLI docs. ## Related pages * [Cursor](/sonarqube-cli/integrations/cursor.md) * [Cursor](/sonarqube-mcp-server/setup/quickstart-guides/cursor.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.sonarsource.com/agent-centric-development-cycle/developer-tools/agent-plugins/cursor.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.