> For the complete documentation index, see [llms.txt](https://docs.sonarsource.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sonarsource.com/agent-centric-development-cycle/verify/hunter-agent.md).

# Hunter Agent

> SonarQube Hunter Agent is available as a beta feature in the SonarQube Cloud Enterprise plan. For more information on release stages, see [Product release lifecycle](https://docs.sonarsource.com/sonarqube-cloud/appendices/product-release-lifecycle).

## Overview

SonarQube Hunter Agent is part of the *Verify* phase of the [Agent Centric Development Cycle](/agent-centric-development-cycle/readme.md). It runs a deep analysis of your projects to find vulnerabilities that require human-like understanding of the code, then raises them as issues you can triage in SonarQube Cloud.

Broken access control and business-logic flaws don't show up as code patterns. They live in the gap between what your code is meant to do and what it actually does. Static analysis cannot see that gap, so these flaws usually surface only in manual security review. SonarQube Hunter Agent brings that type of review to your projects.

With SonarQube Hunter Agent, you:

* find high-impact security flaws that static analysis misses, such as broken access control and business-logic errors
* work with findings as regular issues you triage, assign, and track like any other, with no new tool to learn
* run the analysis on Sonar's infrastructure, with nothing to install or run locally

The agent works through playbooks: structured, multi-step sequences of specialized prompts that reason through your code the way a security researcher works through a manual code audit.

Each run works in stages: the agent identifies the threat model for the security-relevant parts of your codebase, detects candidate issues, tests them to rule out false positives, and pins each confirmed finding to an exact location in the code.

```mermaid
%%{init: {'theme': 'base', 'themeVariables': {
  'primaryColor': '#E6F2FF',
  'primaryBorderColor': '#126ED3',
  'primaryTextColor': '#111827',
  'lineColor': '#126ED3'
}}}%%
flowchart TD
    D["Discover
---
Identify the threat model"] --> I1["Detect issues
---
Broken access control"]
    D --> I2["Detect issues
---
Business logic"]
    D --> I3["Detect issues
---
Authentication and session"]
    I1 --> C1["Verify candidates
---
Broken access control"]
    I2 --> C2["Verify candidates
---
Business logic"]
    I3 --> C3["Verify candidates
---
Authentication and session"]
    C1 --> S["Consolidate
---
Merge findings across categories"]
    C2 --> S
    C3 --> S
    S --> L["Locate
---
Pin each finding to a file and line"]
    L --> R["Report
---
Raise findings as issues in SonarQube Cloud"]
```

## What it detects

SonarQube Hunter Agent runs a single application security playbook that covers three categories of vulnerability. Note that the following lists of CWEs are not exhaustive.

**Broken access control**: insecure direct object references (IDOR), missing or incorrect authorization checks, privilege escalation, sensitive data exposure, and cross-site request forgery (CSRF)

* CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
* CWE-285: Improper Authorization
* CWE-862: Missing Authorization
* CWE-863: Incorrect Authorization
* CWE-269: Improper Privilege Management
* CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
* CWE-352: Cross-Site Request Forgery

**Business logic vulnerabilities**: skipping required workflow steps, abusing repeatable actions, and missing rate limits

* CWE-840: Business Logic Errors (parent category)
* CWE-841: Improper Enforcement of Behavioral Workflow
* CWE-799: Improper Control of Interaction Frequency
* CWE-837: Improper Enforcement of a Single, Unique Action
* CWE-770: Allocation of Resources Without Limits or Throttling

**Authentication and session management flaws**: broken authentication, session fixation, non-expiring sessions, weak password recovery, missing multi-factor authentication (MFA), and brute-force gaps

* CWE-287: Improper Authentication
* CWE-384: Session Fixation
* CWE-613: Insufficient Session Expiration
* CWE-640: Weak Password Recovery Mechanism for Forgotten Password
* CWE-308: Use of Single-factor Authentication
* CWE-294: Authentication Bypass by Capture-replay
* CWE-307: Improper Restriction of Excessive Authentication Attempts

SonarQube Hunter Agent works with any language supported by SonarQube Cloud.

## Reviewing findings

SonarQube Hunter Agent findings appear in your project's regular issue list, alongside your other issues, so you can filter, assign, comment on, and change their status like any other issue. Each enabled project also has a **Hunter Agent** page that summarizes findings.

## Setup

To enable SonarQube Hunter Agent for your organization and projects, see [Uncover complex vulnerabilities with AI](/agent-centric-development-cycle/verify/how-to-guides/uncover-complex-vulnerabilities-with-ai.md).

## FAQ

#### Does SonarQube Hunter Agent replace static analysis?

No. It complements Sonar's static analysis. Static analysis handles the vulnerability classes it's built for, such as SQL injection and cross-site scripting (XSS), and SonarQube Hunter Agent adds a layer for logic-level flaws that don't show up as code patterns.

#### How is it different from runtime tools or pentesting agents?

Runtime tools and AI-assisted pentesting agents probe a running application after deployment. SonarQube Hunter Agent works at the code level, before the code ships, applying the same attacker-perspective reasoning earlier, when a fix costs far less.

#### Does it run my application?

No. SonarQube Hunter Agent only reads your source code. It doesn't run or attack a running application.

#### How is it different from Gitar?

Gitar reviews individual pull requests as they're opened. SonarQube Hunter Agent analyzes your projects in depth.

#### How is it different from the Remediation Agent?

Both are agents, but they work at opposite ends of the cycle. SonarQube Hunter Agent is a *Verify* feature that finds new vulnerabilities. The [Remediation Agent](/agent-centric-development-cycle/solve/remediation-agent.md) is a *Solve* feature that proposes fixes for issues you already have. SonarQube Hunter Agent doesn't fix the issues it finds.

#### Which large language model does it use?

SonarQube Hunter Agent is model-agnostic. It runs on Sonar's Foundation Agent, which currently uses Claude Sonnet and Opus, and Sonar can qualify other models over time. The Foundation Agent keeps results consistent and auditable, whichever model is in use.

#### Are the results consistent from run to run?

Yes. Consistency is a core design goal. Rather than producing different results on the same project each run, SonarQube Hunter Agent aims for reproducible, auditable output that you can triage, escalate, and report on.

#### What happens to my code and findings?

Your code and findings stay within your SonarQube Cloud environment. SonarQube Hunter Agent doesn't send your source code to external services beyond the model inference call, which is subject to the same data-handling terms as the rest of the platform. Contact your account team for the full data-handling documentation.

## Related pages

* [About the Agent Centric Development Cycle](/agent-centric-development-cycle/readme.md)
* [Uncover complex vulnerabilities with AI](/agent-centric-development-cycle/verify/how-to-guides/uncover-complex-vulnerabilities-with-ai.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.sonarsource.com/agent-centric-development-cycle/verify/hunter-agent.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
