Remediation Agent

Beta: The SonarQube Remediation Agent is a Beta feature available with the SonarQube Cloud Team (annual) and Enterprise plans. It's free during beta and will be a paid feature when it moves to General Availability. For terms and conditions, see our legal page about features in Early Access.

Overview

The SonarQube Remediation Agent runs an independent review and analysis to help you fix reliability and maintainability issues found in your latest code, and to remediate dependency vulnerabilities found by Software Composition Analysis (SCA). It focuses on issues in your SonarQube Cloud backlog (discovered in your main branch analysis) and on issues found in your latest pull request (PR).

The agent works with projects bound to GitHub or Azure DevOps. Automated and manual backlog remediation are available on both platforms; pull request remediation is available for GitHub-bound projects only.

The agent uses Anthropic's Claude Opus 4.6 to generate fix suggestions in the background and checks that the new code doesn't introduce new issues before offering the suggestion.

After issues from your analysis are assigned, the agent proposes fixes and creates new PRs for your review. You maintain full control—enable it per project, then review and approve code suggestions for each issue.

The SonarQube Remediation Agent can suggest fixes in three ways:

• Automated backlog remediation: The agent runs on a schedule you set, automatically proposing fixes for eligible issues in your main branch without manual assignment. A SonarQube Cloud organization admin enables the scheduler and sets the frequency (daily or weekly), time, and timezone. The agent then opens pull requests in your repository on that schedule, grouped by rule key and file type, the same way it does for manual backlog remediation. Project admins can override or disable the schedule for individual projects.

• Manual backlog remediation: The agent fixes issues you select from your backlog and assign with the Assign to Agent button on the Issues page.

• Pull request remediation (GitHub only): The agent is triggered from a pull request analysis when your quality gate fails.

Supported languages

The Remediation Agent works with your most common languages (C#, Java, JavaScript/TypeScript, and Python) by providing feedback on maintainability, reliability, and select security issues. In addition, it also offers fix suggestions for Secrets. It can also remediate dependency vulnerabilities found by Software Composition Analysis (SCA); see SCA basic remediation below. See the Requirements and limitations article for complete details.

Sharing your code with Sonar

If you use the SonarQube Remediation Agent, the affected code snippet is sent to an LLM to generate a fix suggestion. Sonar verifies suggestions before offering them as a fix. Service agreements with Sonar’s LLMs prevent your code from being used to train those models and it isn’t stored by the LLM provider or any third party.

For terms and conditions, see the Early Access terms in our Legal Documentation.

Setup

To enable and install the agent, see Administer the Remediation Agent.

To understand the agent's behavior and learn how to engage with the agent in your pull request, follow the Pull request fix suggestions and Backlog fix suggestions guides.

SCA basic remediation

The Remediation Agent can fix Software Composition Analysis (SCA) vulnerabilities by bumping the dependency version suggested by the SCA analysis. Triggered from the results of a SonarQube Cloud Dependency risks analysis, the agent generates a PR for your review.

The following package managers are supported:

• NPM — covers npm and yarn

• PyPI — covers pip

• Maven — covers Maven and Gradle

Related products

For AI-powered pull request review automation, see Gitar, a separate Sonar product.