> For the complete documentation index, see [llms.txt](https://docs.sonarsource.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sonarsource.com/agent-centric-development-cycle/how-to-guides/administer-ac-dc-features/remediation-agent.md). # Remediation Agent > **Note:** The SonarQube Remediation Agent is a [Beta](https://docs.sonarsource.com/sonarqube-cloud/appendices/product-release-lifecycle#beta) feature available with the SonarQube Cloud Team (annual) and Enterprise plan accounts. It's free during beta and becomes a paid feature when it moves to [General Availability](https://docs.sonarsource.com/sonarqube-cloud/appendices/product-release-lifecycle#general-availability). For terms and conditions, see [Early Access](https://www.sonarsource.com/legal/early-access/). ## Overview The SonarQube Remediation Agent helps you fix issues found by SonarQube Cloud in pull requests and in your backlog. It generates fix suggestions for eligible issues and verifies the proposed changes before offering them to you. This page explains how to enable the agent, manage repository access, and control how it operates in GitHub and SonarQube Cloud. ## Requirements and limitations * The SonarQube Remediation Agent, when enabled, can make fix suggestions in new PRs on private projects in GitHub. * Analysis must be enabled on your GitHub repository—either automatic analysis or CI-based analysis. * Your GitHub organization and repository must be bound to your SonarQube Cloud organization and project. * The agent can suggest code fixes in the main branch of your backlog and on your pull request for maintainability, reliability, and a select set of security issues found in C#, Java, JavaScript/TypeScript, and Python code. The agent can also suggest fixes for secrets detected in your code. * The agent can also fix dependency vulnerabilities found by Software Composition Analysis (SCA). See [Reviewing and fixing dependency risks](https://docs.sonarsource.com/sonarqube-cloud/advanced-security/reviewing-and-fixing-dependency-risks) for details. To keep the agent's output manageable, the number of issues it handles at once is limited: * Automated backlog remediation: each scheduled run opens one pull request for up to 5 issues in every selected repository. * Manual backlog remediation: you can't select more than 20 issues to assign at one time. * Pull request remediation: if a pull request introduces more than 20 new issues, the agent isn't offered. > **Warning:** The SonarQube Remediation Agent will only work with issues found in one of the supported language types. > > Once enabled in SonarQube Cloud, any of your GitHub repositories can add the SonarQube Remediation Agent as a GitHub App, regardless of the language type. > > SonarQube Cloud may find issues in a repository with an unsupported language (for example, C++), but the agent won't be triggered in a pull request because C++ isn't a supported language. ## Sharing your code with Sonar If you use the SonarQube Remediation Agent, the agent sends the affected code snippet to an LLM to generate a fix suggestion. These suggestions are verified by Sonar before being offered as an issue fix. Service agreements with Sonar's LLMs prevent your code from being used to train those models and it isn't stored by the LLM provider or any third party. For terms and conditions, see [Early Access terms](https://www.sonarsource.com/legal/early-access/) in our [Legal documentation](https://www.sonarsource.com/legal/). ## Enable your agent 1. Enable analysis on your GitHub repository project. Use either automatic analysis or CI-based analysis. If your project isn't already bound to the GitHub repository, complete that binding before you install the agent. 2. Navigate to *Your SonarQube Cloud Organization* > **Administration** > **AI capabilities** > **AI agent**. 3. A GitHub administrator needs to install the [SonarQube Agent GitHub app](https://github.com/apps/sonarqube-agent). Under **Install app**, select **GitHub**. The administrator will be prompted to install the app on the GitHub organization already linked to your SonarQube Cloud organization. If installed, the agent will be granted: * Read and write access to code and pull requests * Read-only access to issues and metadata 4. Choose either **All repositories** or **Only select repositories** to control which repositories the AI agent can access. Once you've made your selection, select **Install & Authorize** to finish the setup. The installation may take a few seconds to complete. After setup, the **AI agent** > **Enable agent** > **Pull request fixes** and **Backlog fixes** options will be automatically selected in SonarQube Cloud. You'll be able to commit the agent's suggestions directly from your PRs and the **Assign to Agent** button will be available on the **Issues** page for selected projects. 5. To have the agent fix backlog issues on a schedule, an organization admin selects **Automated backlog remediation** at the bottom of the **Enable agent** list. Set the frequency (daily or weekly), the time, and the timezone for the scheduled runs. To cap how many open pull requests the agent keeps active, set a limit under **Pause when open PRs reach**, or select **Don't pause**. These organization-level settings apply to all projects where the agent is enabled, and project admins have the same controls to override or disable the schedule for individual projects. ## Manage agent access The SonarQube Remediation Agent only has access to the bound repositories defined in GitHub. To change repository access, a GitHub administrator who is also a SonarQube Cloud Administrator can navigate in SonarQube Cloud to *Your Organization* > **Administration** > **AI capabilities** > **AI agent**. Under Install app, select **Manage Permissions** which takes you to your GitHub Apps page. Alternatively, a GitHub administrator can navigate in GitHub to *Your GitHub Organization* > **Settings** > **Third-party Access** > **GitHub Apps**. Under **Installed GitHub Apps** > **SonarQube Agent**, select **Configure**. * In GitHub, under **SonarQube Agent** > **Repository access**, add or remove your repositories from the list. When finished, select **Save** to confirm your selection. ### Disable or suspend agent access You can disable the SonarQube Remediation Agent in SonarQube Cloud or in GitHub. A SonarQube Cloud Administrator can navigate to *Your Organization* > **Administration** > **AI capabilities** > **AI agent** > **Enable agent** and unselect **Remediation agent**. After you select **Save**, the agent won't be triggered in GitHub. To suspend or uninstall SonarQube Agent completely, navigate in GitHub to *Your GitHub Organization* > **Third-party Access** > **GitHub Apps** > **SonarQube Agent** > **Danger zone** and select **Suspend** or **Uninstall**. * **Suspend** will block the agent's access to your repositories. This is the easiest way to restart the agent when you're ready. * If you select and confirm **Uninstall**, the SonarQube Agent will be removed from all of your repositories and from your SonarQube Cloud Organization. The agent's activity will remain in your PR history, but if you want to use the agent again, you must return to [Enable your agent](#enable-your-agent). ## Agent behavior The SonarQube Remediation Agent proposes fixes in three ways: automatically on a schedule, for issues you assign from your backlog, and for new issues in a pull request when its quality gate fails. * **Automated backlog remediation**: The agent runs on a schedule you set, automatically proposing fixes for eligible issues in your main branch without manual assignment. For configuration details, see [Backlog fix suggestions](/agent-centric-development-cycle/how-to-guides/solve-issues/backlog-fix-suggestions.md#automated-backlog-remediation). * **Manual backlog remediation**: Select issues from your main branch and assign them to the agent. It opens a new PR in GitHub and groups the fixes you assign by rule key and file type. For details, see [Backlog fix suggestions](/agent-centric-development-cycle/how-to-guides/solve-issues/backlog-fix-suggestions.md). * **Pull request remediation**: When your quality gate fails during PR analysis, the **Quality Gate failed** comment includes a **Fix automatically** checkbox. Select it to trigger the agent, which generates fixes and opens a separate PR targeting your branch. Its behavior and how to engage with it are described on [Pull request fix suggestions](/agent-centric-development-cycle/how-to-guides/solve-issues/pull-request-fix-suggestions.md). ## Unsupported rules A small number of rules aren't supported because they're too complex for an LLM to solve. ### Unsupported C# rules csharpsquid:S1133 csharpsquid:S1134 csharpsquid:S1135 csharpsquid:S1144 csharpsquid:S3776 ### Unsupported Java rules java:S120 java:S1133 java:S1134 java:S1135 java:S1144 java:S1228 java:S3776 ### Unsupported JavaScript rules javascript:S1134 javascript:S1135 javascript:S1144 javascript:S1874 javascript:S3776 ### Unsupported Python rules python:S1134 python:S1135 python:S1144 python:S3776 ### Unsupported TypeScript rules typescript:S1134 typescript:S1135 typescript:S1144 typescript:S1874 typescript:S3776 ### Secrets rules All Secrets rules are supported --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sonarsource.com/agent-centric-development-cycle/how-to-guides/administer-ac-dc-features/remediation-agent.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.