Ctrlk
BetaDeveloper

State and storage

Where the SonarQube CLI stores its state, credentials, binaries, and logs, plus how to audit them on a developer machine.

Warning: This product is in Beta stage and we may release breaking changes.

Use this page to audit exactly what the SonarQube CLI writes to disk, where it lives, and how credentials are stored.

On-disk layout

All CLI state lives under a single directory in your home:

Path
Contents

~/.sonar/sonarqube-cli/state.json

CLI state (active connection ID, telemetry preferences, installed integrations, tool metadata).

~/.sonar/sonarqube-cli/bin/

Auxiliary binaries downloaded on demand (the secrets-scanning engine and SCA scanner).

~/.sonar/sonarqube-cli/hooks/

Git hook scripts installed by sonar integrate git --global.

~/.sonar/sonarqube-cli/logs/

CLI log files.

The sonar binary itself is installed separately by the install script:

Operating system

sonar binary location

macOS / Linux

~/.local/share/sonarqube-cli/bin/sonar

Windows

%LOCALAPPDATA%\sonarqube-cli\bin\sonar.exe

What state.json contains

The state file contains these top-level keys:

Key
Purpose

version

The state schema version.

lastUpdated

ISO timestamp of the last state mutation.

auth

Connection metadata (server URL, organization, active connection ID, token name). Token values themselves are not stored here; they live in the OS keychain.

config

CLI version and configuration hints.

telemetry

Telemetry enabled flag, installation ID, and any pending telemetry events not yet flushed.

tools

Versions and paths of installed auxiliary binaries (secrets engine, SCA scanner).

integrations

Registry of installed agent/Git integrations and where each feature was installed.

agents

Legacy registry kept for backward compatibility with earlier CLI versions.

agentExtensions

Legacy registry kept for backward compatibility with earlier CLI versions.

You can cat or jq this file at any time; it contains no secrets.

Where tokens are stored

Tokens are stored in your operating system's secure credential store, not in plain files:

OS
Store

macOS

Keychain Access.

Windows

Windows Credential Manager.

Linux

Secret Service (GNOME Keyring / KWallet).

  • Service name: sonarqube-cli

  • Account name: <hostname> for SonarQube Server, or <hostname>:<organization-key> for SonarQube Cloud (one entry per connection).

To audit which tokens the CLI has saved, open your OS keychain and search for sonarqube-cli. To remove the active connection, run sonar auth logout. Repeat after switching connections if you have saved multiple entries.

Warning: WSL has no keychain. Under Windows Subsystem for Linux, no Secret Service is available by default, so the interactive sonar auth login flow won't work. Use Environment variables for authentication in WSL.

What the CLI writes when you run a command

  • state.json is updated on most commands: connection changes, integration installs, telemetry buffering.

  • ~/.sonar/sonarqube-cli/logs/ may receive log output for debugging.

  • The auxiliary scanner binaries in ~/.sonar/sonarqube-cli/bin/ are written when first needed and re-used afterwards. They're versioned and refreshed on sonar self-update.

  • Integration commands (sonar integrate claude / copilot / codex / git) also write outside ~/.sonar/:

    • AI agent integrations write to ~/.claude/, ~/.copilot/, or ~/.codex/ (global) or to your project directory (per-repo).

    • The Git integration writes to your repo's .git/hooks/, .husky/, or .pre-commit-config.yaml, or to ~/.sonar/sonarqube-cli/hooks/ for --global.

Auditing a developer machine

To inspect what the CLI has set up:

For a clean removal, see Uninstalling.

Related pages

PreviousOverviewNextTelemetry and privacy

Last updated

Was this helpful?