Overview

The SonarQube CLI ships first-class integrations for the tools your engineers use every day. Each sonar integrate subcommand connects SonarQube to one of these tools. It installs secrets-scanning hooks, configures the MCP server where applicable, and sets up SonarQube Agentic Analysis on SonarQube Cloud.

What's available

Project versus global scope

Every sonar integrate subcommand installs at project scope (inside the current repository) or global scope (in your user home, applying across projects on your machine):

The --project / -p flag sets the SonarQube project key. Passing it implies project scope and skips the scope prompt. When you omit it, the CLI resolves the project from sonar-project.properties, SonarQube for IDE connected mode, or the git origin remote when the repository is bound on SonarQube.

In an interactive terminal, when you omit both --global and --project, the CLI shows the connection and project preflight summary, then asks where to install. Choose This project for the current directory, or Global for your user home.

In non-interactive mode (including when you authenticate with environment variables), scope defaults to project when you don't pass --global. The CLI logs an info line recording that default.

If you install a global integration first and then run the same sonar integrate command in a project, the CLI detects the existing global setup and skips redundant hook installation.

What gets installed

AI agent integrations (sonar integrate claude, copilot, and codex) wire SonarQube into secrets scanning, the MCP server, and (on SonarQube Cloud) Agentic Analysis and Context Augmentation, though the underlying mechanism depends on what each agent exposes:

• Secrets-scanning hook(s). For Claude Code, a UserPromptSubmit hook (scans the prompt you send to Claude) and a PreToolUse hook (runs before file reads/writes). For GitHub Copilot, a pre-tool-use hook. For OpenAI Codex, a UserPromptSubmit hook (scans the prompt before it is sent to Codex), plus instructions to scan files for secrets before reading them. These all block any operation that would expose a secret. Powered by sonar analyze secrets.

• MCP server configuration. Lets the agent call SonarQube directly to fetch projects, issues, and rules.

• Agentic Analysis integration (SonarQube Cloud only). For Claude Code and Codex, a PostToolUse hook that runs Agentic Analysis on the agent's edits automatically. For GitHub Copilot, instructions that let the agent invoke sonar analyze on your changes. Agentic Analysis is project-scoped: --global installs skip it.

• Context Augmentation skill (SonarQube Cloud only, when enabled for your organization). On eligible project installs, the integrate commands install a skill that lets the agent pull project guidelines, architecture, semantic navigation, and dependency context through the CLI integration as it works. Context Augmentation is project-scoped: --global installs skip it, and --skip-context opts out.

sonar integrate git installs only the secrets-scanning hook, but at the Git layer, so commits and pushes are blocked even outside of an AI agent's session.

Recommended setup for a developer's laptop

This gives every project on the machine secrets blocking at three layers: AI agent reads, AI agent writes, and Git commits/pushes.

Recommended setup for a team rollout

For larger rollouts (dozens to thousands of engineers), pair the per-machine global integrations above with a CI-side scan that catches anything the local hooks missed:

See Environment variables and Exit codes for the CI/CD recipe.

Related pages

• Secrets scanning

• Analyzing local changes

• Commands reference