BetaDeveloper

GitHub Copilot

Install the SonarQube plugin in GitHub Copilot to bring SonarQube code quality and security analysis into your AI coding sessions, powered by the SonarQube MCP Server.

Beta: The SonarQube agent plugin is in beta. Breaking changes may occur.

The SonarQube plugin for GitHub Copilot CLI connects your AI coding agent to SonarQube's code quality and security data. Once installed and configured, Copilot can analyze code, list and fix issues, check quality gates, inspect coverage and duplication, and run Agentic Analysis through the . The plugin's secrets-detection capabilities keep credentials out of your prompts and the files the agent reads or writes.

The plugin works with SonarQube Cloud or SonarQube Server.

Features

The plugin gives the Copilot CLI agent access to the full set of MCP Server tools reference exposed by the SonarQube MCP Server, including:

Code analysis: analyze code snippets and files in the agent context.
Issues: search, review, and update code issues.
Quality gates: check the quality gate status for a project.
Security hotspots: search and review security hotspots.
Coverage: find under-covered files and review line-by-line coverage.
Dependencies: check third-party dependencies for SCA issues.

The plugin also installs:

Secrets detection: a secrets detection hook that blocks Copilot from reading or writing files containing exposed credentials. The plugin also installs custom instructions that tell the agent to refuse working with exposed tokens, since GitHub Copilot CLI doesn't currently support a prompt-time hook.

Prerequisites

A SonarQube Cloud organization or SonarQube Server instance.
A container runtime (Docker, Podman, or nerdctl) to run the SonarQube MCP Server image.

Install

Install the SonarQube plugin from the awesome-copilot marketplace, which is registered by default in GitHub Copilot CLI:

From your shell, run copilot plugin install sonarqube@awesome-copilot.
Or inside an interactive Copilot CLI session, run /plugin install sonarqube@awesome-copilot.

For details on plugin marketplaces and installation, see Finding and installing plugins for GitHub Copilot CLI.

Configuration

After installing the plugin, finish setup by running the guided integration skill:

/sonar-integrate

The skill does the following:

Install the SonarQube CLI if not already present, or update it with sonar self-update.
Authenticate with SonarQube Cloud or your SonarQube Server instance via sonar auth login. Your browser opens to complete login; the token is stored in your system keychain.
Run sonar integrate copilot to register the SonarQube MCP Server and install the secrets-detection hook on your machine.

Agentic Analysis and Context Augmentation

The plugin's MCP Server wiring lets GitHub Copilot CLI use SonarQube Cloud's Agentic Analysis and Context Augmentation features through additional MCP toolsets.

To enable these features and configure GitHub Copilot CLI to use them effectively, see Make your agent verify its code.

Verify that it works

Test the secrets hook

Create a file with a fake-looking but secret-shaped value:

// secrets.js
const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13";

Ask Copilot to read it: "Read secrets.js."
Copilot should block the read and explain that the file contains a secret.

Once you've confirmed the hook is active, delete the test file.

Test the MCP server

Ask Copilot to list your SonarQube projects via the MCP server. If the call fails, run sonar auth status to confirm the underlying token is healthy and restart Copilot.

Test Agentic Analysis (SonarQube Cloud only)

In Copilot, ask: "Run sonar verify --staged and summarize new issues." Copilot should invoke the CLI and report findings. This requires SonarQube Cloud and the Agentic Analysis entitlement on your organization.

Non-interactive install

For provisioning scripts and onboarding automation, skip the interactive skill and run the SonarQube CLI directly:

sonar integrate copilot --global --non-interactive

In non-interactive mode the CLI does not prompt. Run sonar auth status afterward to confirm the integration is wired up. See GitHub Copilot in the SonarQube CLI docs for full details.

Usage

After setup, invoke SonarQube skills in GitHub Copilot CLI using slash commands or natural language. Both options are shown for each skill.

List projects

/sonar-list-projects                    # all accessible projects
/sonar-list-projects my-project         # search by name or key

Or in natural language:

"List my SonarQube projects."
"Search for projects with auth in the name."

List issues

/sonar-list-issues                                        # issues in the current project
/sonar-list-issues my-project --severity CRITICAL

Or in natural language:

"List the issues in my-project."
"Show me critical issues in my-project."
"Search issues in my-project on branch main."

Fix an issue

/sonar-fix-issue java:S1481 src/main/java/MyClass.java
/sonar-fix-issue python:S2077 src/auth/login.py:34

Or in natural language:

"Fix the issue java:S1481 in src/main/java/MyClass.java."
"Help me fix python:S2077 on line 34 of src/auth/login.py."

Quality gate

/sonar-quality-gate
/sonar-quality-gate my-project --branch main

Or in natural language:

"Check the quality gate status for my-project."
"Show me the quality gate for my-project on pull request 42."

Analyze a file

/sonar-analyze
/sonar-analyze src/auth/login.py

Or in natural language:

"Analyze src/auth/login.py for code quality and security issues."
"Run analysis on the current file."

Coverage

/sonar-coverage
/sonar-coverage my-project --max 50
/sonar-coverage my-project --file src/auth/login.py

Or in natural language:

"What files in my-project have less than 50% coverage?"
"Show me line-by-line coverage for src/auth/login.py."

Duplication

/sonar-duplication
/sonar-duplication my-project --pr 42
/sonar-duplication my-project --file src/auth/login.py

Or in natural language:

"Find duplicated files in my-project."
"Show duplications in my-project on pull request 42."

Dependency risks

Dependency risks require SonarQube Advanced Security.

/sonar-dependency-risks
/sonar-dependency-risks my-project --pr 42

Or in natural language:

"List dependency risks in my-project."
"Show me SCA issues on pull request 42."

Security hotspots

Security hotspots are surfaced through the same sonar-list-issues skill:

/sonar-list-issues my-project

Or in natural language:

"Search security hotspots in my-project."
"Show hotspots in my-project that are still to review."

For the full reference of what the agent can call, see the MCP Server tools reference page.

Uninstall

To remove the SonarQube plugin from GitHub Copilot CLI:

From your shell, run copilot plugin uninstall sonarqube.
Or inside an interactive Copilot CLI session, run /plugin uninstall sonarqube.

Uninstalling the plugin removes the MCP wiring the plugin registered with Copilot. To also remove the underlying CLI integration files written by the sonar-integrate skill (the SonarQube MCP server entry, state record), see Uninstall on the SonarQube CLI integration page.

GitHub Copilot

PreviousClaude Code

Last updated 29 minutes ago

Was this helpful?

Good afternoon

Features

Prerequisites

Install

Configuration

Agentic Analysis and Context Augmentation

Verify that it works

Test the secrets hook

Test the MCP server

Test Agentic Analysis (SonarQube Cloud only)

Non-interactive install

Usage

List projects

List issues

Fix an issue

Quality gate

Analyze a file

Coverage

Duplication

Dependency risks

Security hotspots

Uninstall

Related pages