Ctrlk

Telemetry and privacy

What the SonarQube CLI sends home, what it doesn't, and how to opt out for an individual developer or across a fleet.

Warning: This product is in Beta stage and we may release breaking changes.

The SonarQube CLI collects two kinds of data:

  • Anonymous usage telemetry: which commands are run, on what platform, and whether they succeeded.

  • Crash reports via Sentry: unhandled exceptions, scrubbed of personal paths.

Both are enabled by default. They share a single opt-out and transmit no source code, no file contents, and no secrets.

What telemetry collects

Telemetry helps us understand how the CLI is used so we can prioritize improvements, catch regressions, and decide which platforms and integrations to invest in. At a high level, events capture which commands are run, whether they succeed, the CLI version and operating system, and (when you're authenticated) which SonarQube connection the command ran against. We also record which AI coding agent invoked the CLI when one is detectable, so we can shape the integrations accordingly.

Events are buffered locally in ~/.sonar/sonarqube-cli/state.json and flushed asynchronously to SonarSource's telemetry endpoint.

What telemetry doesn't collect

  • File contents.

  • File paths or filenames inside your repositories.

  • Project names or keys (only server-side UUIDs).

  • Command arguments, flag values, or output.

  • Any token or credential value.

What crash reports contain

Sentry is used for crash reporting only. When the CLI hits an unhandled exception, it sends:

  • The exception type and message.

  • The stack trace, with your home directory path scrubbed before transmission.

  • The CLI version and OS.

Crash reports are tied to the same opt-out as telemetry; turning off telemetry also turns off Sentry.

Disable telemetry and crash reporting

For an individual developer:

To re-enable:

The setting persists in ~/.sonar/sonarqube-cli/state.json (telemetry.enabled).

To disable telemetry for the current shell session without changing persisted configuration, set:

Disable only crash reporting

To keep anonymous usage telemetry but disable Sentry crash reports, set this environment variable:

This is rarely needed; most organizations either accept both or disable both.

Rolling out an opt-out across a fleet

For a scaled rollout where policy requires telemetry off by default:

  • Push sonar config telemetry --disabled into your developer-environment bootstrap (Ansible, Chef, dotfiles repo, IT-managed onboarding script). This persists the setting in state.json on every machine.

  • Or set SONARQUBE_CLI_DISABLE_SENTRY=1 in your shared developer environment to disable crash reporting only.

The opt-out is per-machine. No central org-level switch exists yet.

Related pages

PreviousState and storageNextUpdating the CLI

Last updated

Was this helpful?