BetaDeveloper

Overview

Plug the SonarQube CLI into your editor, AI coding assistants, and Git workflow so analysis runs automatically.

Warning: This product is in Beta stage and we may release breaking changes.

The SonarQube CLI ships first-class integrations for the tools your engineers use every day. Each sonar integrate subcommand connects SonarQube to one of these tools. It installs secrets-scanning hooks, configures the MCP server where applicable, and sets up SonarQube Agentic Analysis on SonarQube Cloud.

What's available

Claude Code GitHub Copilot OpenAI Codex Git hooks

Project versus global scope

Every integration command accepts a scope:

Scope

Flag

Where files are installed

When to use

Project (default)

--project

Inside your repository (.claude/, .copilot/, Codex config, .git/hooks/)

Per-repo configuration. The hook ships with the repo and applies only when working in that project.

Global

--global

In your user home (~/.claude/, ~/.copilot/, ~/.codex/, ~/.sonar/sonarqube-cli/hooks/)

Apply once, get the integration across every project on your machine. Recommended for individual developers and for security baselines.

If you install a global integration first and then run the same sonar integrate command in a project, the CLI detects the existing global setup and skips redundant hook installation.

What gets installed

AI agent integrations (sonar integrate claude, copilot, and codex) wire SonarQube into secrets scanning, the MCP server, and (on SonarQube Cloud) Agentic Analysis and Context Augmentation, though the underlying mechanism depends on what each agent exposes:

Secrets-scanning hook(s). For Claude Code, a UserPromptSubmit hook (scans the prompt you send to Claude) and a PreToolUse hook (runs before file reads/writes). For GitHub Copilot, a pre-tool-use hook. For OpenAI Codex, a UserPromptSubmit hook (scans the prompt before it is sent to Codex), plus instructions to scan files for secrets before reading them. These all block any operation that would expose a secret. Powered by sonar analyze secrets.
MCP server configuration. Lets the agent call SonarQube directly to fetch projects, issues, and rules.
Agentic Analysis integration (SonarQube Cloud only). For Claude Code, a PostToolUse hook that runs Agentic Analysis on the agent's edits automatically. For GitHub Copilot and Codex, instructions that let the agent invoke sonar analyze on your changes.
Context Augmentation skill (SonarQube Cloud only, when enabled for your organization). On eligible project installs, the integrate commands install a skill that lets the agent pull project guidelines, architecture, semantic navigation, and dependency context through the CLI integration as it works. Context Augmentation is project-scoped: --global installs skip it, and --skip-context opts out.

sonar integrate git installs only the secrets-scanning hook, but at the Git layer, so commits and pushes are blocked even outside of an AI agent's session.

Recommended setup for a developer's laptop

sonar auth login
sonar integrate claude --global       # or copilot --global
sonar integrate git --global

This gives every project on the machine secrets blocking at three layers: AI agent reads, AI agent writes, and Git commits/pushes.

Recommended setup for a team rollout

For larger rollouts (dozens to thousands of engineers), pair the per-machine global integrations above with a CI-side scan that catches anything the local hooks missed:

sonar analyze secrets .
# Exits 51 if secrets are found — fails the pipeline.

See Environment variables and Exit codes for the CI/CD recipe.

PreviousExit codes NextClaude Code

Last updated 4 days ago

Was this helpful?