# GitHub Copilot

> **Warning:** This product is in Beta stage and we may release breaking changes. The documentation here matches the release version listed in the table of contents.

`sonar integrate copilot` configures the SonarQube CLI to work alongside [GitHub Copilot](https://docs.github.com/copilot). One command installs three things:

* **A secrets-scanning hook** that runs before Copilot reads or writes files and blocks any operation that would expose a secret.
* **The SonarQube MCP server** so Copilot can fetch projects, issues, and rules directly.
* **SonarQube Agentic Analysis instructions** (SonarQube Cloud only, when a project key is available and your organization is entitled) so Copilot can run `sonar verify` on your changes.

## Prerequisites

* [The SonarQube CLI is installed and authenticated](/sonarqube-cli/quickstart-guide.md).
* GitHub Copilot is installed in your editor (or available via the GitHub Copilot CLI).
* You're working inside a project directory (or you're installing globally with `--global`).

## Install

Run inside the project you want to integrate, with the project key:

```bash
sonar integrate copilot --project <YourProjectKey>
```

Or install once for your whole machine:

```bash
sonar integrate copilot --global
```

> **Warning:** `--project` and `--global` are mutually exclusive. Passing both causes the command to fail with an "invalid options" error (exit code `2`).

### Where files are installed

| Scope             | Hook & instructions location                                                       |
| ----------------- | ---------------------------------------------------------------------------------- |
| `--global`        | `~/.copilot/` (hooks, settings, instructions)                                      |
| Project (default) | Inside the repo's Copilot configuration directory                                  |
| Shared binary     | `~/.sonar/sonarqube-cli/bin/` (the secrets-scanning binary, used for hook payload) |

State for installed integrations is recorded in `~/.sonar/sonarqube-cli/state.json`. See [State and storage](/sonarqube-cli/administration/state-and-storage.md).

### Agentic Analysis on global installs

When you run `sonar integrate copilot --global`, Agentic Analysis instructions are **only** written if a project key can be resolved (from `--project`, from your current directory's `sonar-project.properties`, or from a shared SonarLint connected-mode binding) and your organization is entitled to Agentic Analysis. Otherwise the global install skips the SQAA portion and only the secrets-scanning hook + MCP server are configured.

## Restart Copilot

Copilot reads its hook and MCP configuration at startup. **Restart Copilot** (or your IDE) for the integration to take effect.

## Verify it works

### Test the secrets hook

1. Create a file in your project with a fake-looking but secret-shaped value:

   ```javascript
   // secrets.js
   const API_KEY = "sqp_1aa323ae0689cd4a1abd062a2ad0a224ae8a1d13";
   ```
2. Ask Copilot to read it.
3. Copilot should block the read and explain that the file contains a secret.

Delete the test file once confirmed.

### Test the MCP server

Ask Copilot to list your SonarQube projects via the MCP server. If the call fails, run `sonar auth status` to confirm the underlying token is healthy and restart Copilot.

## Uninstall

The CLI doesn't ship a dedicated uninstall command for integrations yet. To remove the Copilot integration:

1. Delete the hook files written under `~/.copilot/` (global) or in your project's Copilot config (project).
2. Remove the SonarQube MCP server entry from your Copilot configuration.
3. Remove the integration entry from `~/.sonar/sonarqube-cli/state.json` (under `integrations.installed`).

See [Uninstalling](/sonarqube-cli/administration/uninstall.md) for the full removal procedure.

## Related pages <a href="#related-pages" id="related-pages"></a>

* [Secrets scanning](/sonarqube-cli/analysis/secrets-scanning.md)
* [Analyzing local changes](/sonarqube-cli/analysis/analyzing-local-changes.md)
* [Claude Code](/sonarqube-cli/integrations/claude-code.md)
* [State and storage](/sonarqube-cli/administration/state-and-storage.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cli/integrations/github-copilot.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.