BetaDeveloper

Commands reference

A complete reference for SonarQube CLI commands, with arguments, options, defaults, and examples.

Warning: This product is in Beta stage and we may release breaking changes.

This page documents every SonarQube CLI command. Find the full SonarQube CLI command reference, including options and examples, at cli.sonarqube.com. A machine-readable version of the command reference is also available as JSON at cli.sonarqube.com/data/commands.json.

Each entry includes a description, the arguments and options it accepts (with types, defaults, and whether they are required), and runnable examples.

For longer-form guides on how to use these commands, see Overview, Overview, and Overview.

Commands at a glance

Group

Commands

Authentication

sonar auth login, logout, status

Integrations

sonar integrate claude, copilot, codex, git

Analysis

sonar analyze, analyze secrets, analyze agentic, analyze dependency-risks, remediate

Information

sonar list issues, list projects, api

Configuration

sonar config telemetry

Maintenance

sonar self-update

Command

Description

sonar auth

Manage authentication tokens and credentials.

sonar api

Make authenticated API requests to SonarQube.

sonar integrate

Set up SonarQube integration for AI coding agents, git, and others.

sonar list

List issues and projects from SonarQube.

sonar remediate

Trigger AI agent remediation for eligible issues (SonarQube Cloud only).

sonar analyze

Run secrets scanning and Agentic Analysis on the local change set (default when no subcommand is given); subcommands cover SCA and targeted scans.

sonar verify

Deprecated. Agentic Analysis only. Use sonar analyze or sonar analyze agentic instead.

sonar config

Configure CLI settings.

sonar self-update

Update sonar CLI to the latest version.

`sonar auth`

Manage authentication tokens and credentials.

Authenticate via browser and save credentials in the system keychain. Must be run manually; AI agents cannot complete this flow. For CI/CD and automation, use environment variables instead.

Options:

Option

Type

Required

Description

Default

--server, -s

string

Your SonarQube Server URL, SonarQube Cloud EU (https://sonarcloud.io), or SonarQube Cloud US (https://sonarqube.us). When omitted, the CLI prompts you to choose server and region.

--org, -o

string

Your SonarQube Cloud organization key. If omitted when authenticating to SonarQube Cloud, the CLI auto-selects your organization when you belong to exactly one, or prompts you to choose when you belong to multiple organizations.

Examples:

Interactive login (prompts for server type, region, and organization):

sonar auth login

Interactive login with a pre-selected server (skips the server and region prompts):

# SonarQube Server (self-hosted)
sonar auth login --server <YourSonarQubeServerURL>
# Also works with SonarCloud EU or US region URLs
sonar auth login --server "https://sonarcloud.io"
sonar auth login --server "https://sonarqube.us"

For CI/CD pipelines and headless environments, use environment variables instead of sonar auth login.

`sonar auth logout`

Remove the active connection token from the keychain. The CLI also best-effort revokes the token server-side when it was created via the interactive browser flow.

Examples:

sonar auth logout

`sonar auth status`

Show the active authentication connection and verify the token against the server.

Examples:

sonar auth status

`sonar integrate`

For step-by-step setup guides, see Overview.

`sonar integrate claude`

Set up the SonarQube integration for Claude Code. Installs secrets-scanning hooks and configures the SonarQube MCP server, SonarQube Agentic Analysis, and Context Augmentation (on SonarQube Cloud).

Options:

Option

Type

Required

Description

Default

--project, -p

string

Project key. Ignored when --global is used.

--non-interactive

boolean

Non-interactive mode (no prompts).

--global, -g

boolean

Install hooks and config globally to ~/.claude instead of project directory.

--skip-context

boolean

Skip the Context Augmentation install and skill setup.

Examples:

sonar integrate claude -p my-project
sonar integrate claude -g
sonar integrate claude -p my-project --skip-context

`sonar integrate copilot`

Set up the SonarQube integration for GitHub Copilot. Installs secrets-scanning hooks and configures the SonarQube MCP server, SonarQube Agentic Analysis, and Context Augmentation (on SonarQube Cloud).

Options:

Option

Type

Required

Description

Default

--global, -g

boolean

Install hooks and config globally to ~/.copilot instead of project directory.

--project, -p

string

Project key. Mutually exclusive with --global.

--skip-context

boolean

Skip the Context Augmentation install and skill setup.

Examples:

sonar integrate copilot -p my-project
sonar integrate copilot -g
sonar integrate copilot -p my-project --skip-context

`sonar integrate codex`

Set up the SonarQube integration for OpenAI Codex. Installs a UserPromptSubmit secrets hook, MCP configuration, and (on SonarQube Cloud, when entitled) Agentic Analysis instructions and Context Augmentation. See OpenAI Codex.

Options:

Option

Type

Required

Description

Default

--project, -p

string

Project key. Mutually exclusive with --global.

--global, -g

boolean

Install hook and config globally to ~/.codex instead of project directory.

--skip-context

boolean

Skip Context Augmentation install and skill setup.

Examples:

sonar integrate codex -p my-project
sonar integrate codex -g

`sonar integrate git`

Install a Git hook that scans staged files (pre-commit) or unpushed commits (pre-push) for secrets.

Options:

Option

Type

Required

Description

Default

--hook

string

Hook to install: pre-commit (scan staged files) or pre-push (scan files in unpushed commits).

--force

boolean

Overwrite an existing hook if it is not from sonar integrate git.

--non-interactive

boolean

Non-interactive mode (no prompts).

--global

boolean

Install hook globally for all repositories (sets git config --global core.hooksPath).

Examples:

sonar integrate git
sonar integrate git --hook pre-push
sonar integrate git --global
sonar integrate git --hook pre-push --global --non-interactive

Analysis

`sonar analyze`

Run every analysis the CLI supports on your local change set: secrets scanning first, then Agentic Analysis (SonarQube Cloud only). This is the recommended command before a commit or pull request. See Analyzing local changes.

Options:

Option

Type

Required

Description

Default

--file

string

Analyze a single file (skips change-set detection).

--staged

boolean

Analyze staged files only (git diff --cached).

--base

string

Analyze files changed vs a branch or ref (e.g. main).

--force

boolean

Skip the large change-set confirmation prompt.

--format

string

Output format (text, json).

text

Note: --branch and --project are available on sonar analyze agentic but not on the bare sonar analyze command. Use sonar analyze agentic when you need those options.

Examples:

sonar analyze
sonar analyze --staged
sonar analyze --base main --format json

`sonar analyze secrets`

Scan files or standard input for hardcoded secrets.

Arguments:

Argument

Description

[paths…]

File or directory paths to scan for secrets.

Options:

Option

Type

Required

Description

Default

--stdin

boolean

Read from standard input instead of paths.

--disable-entropy-filter

boolean

Report low-entropy matches (e.g. placeholder or example secrets) that would normally be silently dropped. Reported as low-confidence, with the filter name appended to the issue message.

false

--disable-test-file-detection

boolean

Stop filtering out files automatically identified as test files. Findings in those files are reported as low-confidence, with the filter name appended to the issue message. Has no effect on files explicitly declared as tests via sonar.tests.

false

Exit behavior: exits with code 51 when secrets are found, 0 when none are found. See Exit codes.

Examples:

Scan a file:

sonar analyze secrets src/config.ts

Scan a directory:

sonar analyze secrets src/

Scan stdin:

cat .env | sonar analyze secrets --stdin

Surface low-confidence matches for evaluation:

sonar analyze secrets src/ --disable-entropy-filter --disable-test-file-detection

`sonar analyze secrets allowlist`

Maintain a persistent list of known secrets that the scanner should ignore. Entries are stored as SHA-256 hashes on disk; the file lives next to the CLI binary by default and can be relocated via the SONAR_SECRETS_CACHE_DIR environment variable.

Subcommand

Description

allowlist add [--key <key>]

Add a secret interactively or via stdin. The optional --key flag provides a human-readable identifier ([0-9a-zA-Z_-]).

allowlist remove

Remove an entry by its key.

allowlist show

List all allowlisted keys.

allowlist clear

Remove all entries from the allowlist.

Examples:

sonar analyze secrets allowlist add --key test-fixture-aws
sonar analyze secrets allowlist show
sonar analyze secrets allowlist remove
sonar analyze secrets allowlist clear

Custom secret rules from SonarQube Server

When the SonarQube CLI is authenticated, sonar analyze secrets automatically downloads and executes custom secret rules (instances of rule template S6784) defined on the connected SonarQube Server instance. Rules are cached locally and refreshed on each run. If the download fails, the SonarQube CLI falls back to a stale cache with a warning. No CLI flag is required. Custom secret rules are not yet available on SonarQube Cloud; support is planned.

`sonar analyze agentic`

Run server-side SonarQube Agentic Analysis on local changes (SonarQube Cloud only). Limitations apply; see Agentic Analysis on sonarsource.com.

Options:

Option

Type

Required

Description

Default

--file

string

Analyze a single file (skips change-set detection).

--staged

boolean

Analyze staged files only (git diff --cached).

--base

string

Analyze files changed vs a branch or ref (e.g. main).

--branch

string

Branch name for analysis context.

--project, -p

string

SonarQube Cloud project key (overrides auto-detected project).

--force

boolean

Skip the large change-set confirmation prompt.

--format

string

Output format (text, json).

text

Note: The CLI prompts for confirmation when the change set exceeds 50 files. Pass --force to skip the prompt, or use --format json (which suppresses the prompt automatically).

Exit behavior: exits with code 51 when issues are reported. See Exit codes.

Examples:

sonar analyze agentic                       # local change set
sonar analyze agentic --file src/app.ts     # single file
sonar analyze agentic --staged              # staged files only
sonar analyze agentic --base main           # changes vs main

`sonar analyze dependency-risks`

Run Software Composition Analysis (SCA) against the project's dependencies and report unresolved dependency risks (vulnerabilities, malware, and prohibited licenses). Requires SonarQube Advanced Security with SCA enabled on the project (SonarQube Cloud, or SonarQube Server 2026.4+). For the full workflow, see Software Composition Analysis (SCA).

Options:

Option

Type

Required

Description

Default

--project, -p

string

Yes

Project key.

--format

string

Output format (table, json).

table

--statuses

string

Filter by status. Accepts presets (active → NEW,OPEN,CONFIRM; to_fix → NEW,OPEN,CONFIRM,ACCEPT; all → NEW,OPEN,CONFIRM,ACCEPT,SAFE,FIXED) and raw statuses (NEW, OPEN, CONFIRM, ACCEPT, SAFE, FIXED). Comma-separated; case-insensitive; result is the union of every token.

active

Exit behavior: exits with code 51 when unresolved risks are found, 1 on analysis errors, 0 otherwise. See Exit codes.

Note: First run downloads a scanner binary. SonarQube CLI fetches the sca-scanner-cli binary from binaries.sonarsource.com and caches it under ~/.sonar/sonarqube-cli/bin/. Subsequent runs reuse the cached binary.

Examples:

sonar analyze dependency-risks -p my-project                          # active risks, table output
sonar analyze dependency-risks -p my-project --format json            # JSON for agents and scripts
sonar analyze dependency-risks -p my-project --statuses to_fix        # only what needs fixing
sonar analyze dependency-risks -p my-project --statuses all           # include accepted and safe

`sonar verify` (deprecated)

Warning: Deprecated. sonar verify runs Agentic Analysis only and prints a deprecation warning. Use sonar analyze (secrets + agentic) or sonar analyze agentic instead.

Accepts the same options as sonar analyze agentic.

Examples:

sonar verify --staged   # prefer: sonar analyze agentic --staged

`sonar remediate`

Trigger AI-agent remediation for eligible issues (SonarQube Cloud only). Eligibility is determined server-side: only issues the SonarQube remediation agent can fix are surfaced.

Options:

Option

Type

Required

Description

Default

--project, -p

string

SonarQube Cloud project key (overrides auto-detected project).

--issues

string

Comma-separated issue keys to remediate non-interactively (max 20). Required when stdin is not a TTY.

Examples:

Pick issues interactively:

sonar remediate -p my-project

Non-interactively remediate specific issues (suitable for scripts):

sonar remediate -p my-project --issues issue-key-1,issue-key-2

Information

`sonar list issues`

Search for issues in a SonarQube project.

Options:

Option

Type

Required

Description

Default

--project, -p

string

Yes

Project key.

--statuses

string

Filter by status (comma-separated list of: OPEN, CONFIRMED, FALSE_POSITIVE, ACCEPTED, FIXED).

--severities

string

Filter by severity (comma-separated list of: INFO, MINOR, MAJOR, CRITICAL, BLOCKER).

--format

string

Output format (json, toon, table, csv); see Output formats.

json

--branch

string

Branch name.

--pull-request

string

Pull request ID.

--page-size

number

Page size (1-500).

500

--page

number

Page number.

1

Examples:

sonar analyze secrets src/config.ts

Scan multiple files for hardcoded secrets.

sonar analyze secrets src/file1.ts src/file2.ts

Scan stdin for hardcoded secrets.

cat .env | sonar analyze secrets --stdin

`sonar list projects`

Search for projects the active token can access.

Options:

Option

Type

Required

Description

Default

--query, -q

string

Search query to filter projects by name or key.

--page

number

Page number.

1

--page-size

number

Page size (1-500).

500

Output is always JSON. Pipe through jq if you need to transform it.

Examples:

sonar list projects
sonar list projects -q my-project
sonar list projects --page 2 --page-size 50

`sonar api`

Make authenticated requests to any SonarQube Web API endpoint. Useful for advanced workflows that aren't covered by other commands.

Arguments:

Argument

Description

<method>

HTTP method (get, post, patch, put, delete).

<endpoint>

API endpoint path. Must start with / and can contain query parameters.

Options:

Option

Type

Required

Description

Default

--data, -d

string

JSON string for the request body. See request body encoding below.

--verbose, -v

boolean

Print request and response details for debugging.

Note: Request body encoding. The CLI picks an encoding based on the endpoint path:
Endpoints starting with /api/v2/, or endpoints that don't start with /api/, receive a JSON body (Content-Type: application/json).
All other endpoints (the SonarQube Web API v1, paths under /api/) receive URL-encoded form data (Content-Type: application/x-www-form-urlencoded).
This matches what each Web API endpoint expects. You don't need to override it.

Examples:

List favorite projects:

sonar api get "/api/favorites/search"

Search for rules in an organization:

sonar api get "/api/rules/search?organization=my-org&languages=ts"

Generate a new user token:

sonar api post "/api/user_tokens/generate" --data '{"name":"my-new-token"}'

Accept an issue:

sonar api post "/api/issues/do_transition" --data '{"issue":"AYx1z2","transition":"accept"}'

Debug a request:

sonar api get "/api/system/status" --verbose

Get the current analysis engine JAR info (V2 API):

sonar api get "/analysis/engine"

Revoke a user token:

sonar api post "/api/user_tokens/revoke" --data '{"name":"my-token"}'

Configuration

`sonar config telemetry`

Enable or disable the collection of anonymous usage statistics and crash reports. See Telemetry and privacy for what's collected.

Options:

Option

Type

Required

Description

Default

--enabled

boolean

Enable collection of anonymous usage statistics.

--disabled

boolean

Disable collection of anonymous usage statistics.

Examples:

sonar config telemetry --enabled
sonar config telemetry --disabled

Maintenance

`sonar self-update`

Update the CLI to the latest version. Re-uses the install script that put sonar on your system; your saved state and credentials are preserved. See Updating the CLI for details.

Options:

Option

Type

Required

Description

Default

--status

boolean

Check for a newer version without installing.

--force

boolean

Install the latest version even if already up to date.

Examples:

sonar self-update
sonar self-update --status
sonar self-update --force

PreviousQuickstart guide NextEnvironment variables

Last updated 5 days ago

Was this helpful?

Good afternoon

Commands at a glance

sonar auth

sonar auth login

sonar auth logout

sonar auth status

sonar integrate

sonar integrate claude

sonar integrate copilot

sonar integrate codex

sonar integrate git

Analysis

sonar analyze

sonar analyze secrets

sonar analyze secrets allowlist

Custom secret rules from SonarQube Server

sonar analyze agentic

sonar analyze dependency-risks

sonar verify (deprecated)

sonar remediate

Information

sonar list issues

sonar list projects

sonar api

Configuration

sonar config telemetry

Maintenance

sonar self-update

Related pages

`sonar auth`

`sonar auth login`

`sonar auth logout`

`sonar auth status`

`sonar integrate`

`sonar integrate claude`

`sonar integrate copilot`

`sonar integrate codex`

`sonar integrate git`

`sonar analyze`

`sonar analyze secrets`

`sonar analyze secrets allowlist`

`sonar analyze agentic`

`sonar analyze dependency-risks`

`sonar verify` (deprecated)

`sonar remediate`

`sonar list issues`

`sonar list projects`

`sonar api`

`sonar config telemetry`

`sonar self-update`