# Commands reference > **Warning:** This product is in Beta stage and we may release breaking changes. This page documents every SonarQube CLI command. Find the full SonarQube CLI command reference, including options and examples, at [cli.sonarqube.com](https://cli.sonarqube.com/). A machine-readable version of the command reference is also available as JSON at [cli.sonarqube.com/data/commands.json](https://cli.sonarqube.com/data/commands.json). Each entry includes a description, the arguments and options it accepts (with types, defaults, and whether they are required), and runnable examples. For longer-form guides on *how* to use these commands, see [Overview](/sonarqube-developer-tools/sonarqube-cli/integrations/integrations.md), [Overview](/sonarqube-developer-tools/sonarqube-cli/analysis/analysis.md), and [Overview](/sonarqube-developer-tools/sonarqube-cli/administration/administration.md). ## Commands at a glance | Group | Commands | | ------------------ | ---------------------------------------------------------------------------------------------- | | **Authentication** | `sonar auth login`, `logout`, `status` | | **Integrations** | `sonar integrate claude`, `copilot`, `codex`, `git` | | **Analysis** | `sonar analyze`, `analyze secrets`, `analyze agentic`, `analyze dependency-risks`, `remediate` | | **Information** | `sonar list issues`, `list projects`, `api` | | **Configuration** | `sonar config telemetry` | | **Maintenance** | `sonar self-update` | | Command | Description | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | `sonar auth` | Manage authentication tokens and credentials. | | `sonar api` | Make authenticated API requests to SonarQube. | | `sonar integrate` | Set up SonarQube integration for AI coding agents, git, and others. | | `sonar list` | List issues and projects from SonarQube. | | `sonar remediate` | Trigger AI agent remediation for eligible issues (SonarQube Cloud only). | | `sonar analyze` | Run secrets scanning and Agentic Analysis on the local change set (default when no subcommand is given); subcommands cover SCA and targeted scans. | | `sonar verify` | **Deprecated.** Agentic Analysis only. Use `sonar analyze` or `sonar analyze agentic` instead. | | `sonar config` | Configure CLI settings. | | `sonar self-update` | Update sonar CLI to the latest version. | *** ## `sonar auth` Manage authentication tokens and credentials. ### `sonar auth login` Authenticate via browser and save credentials in the system keychain. Must be run manually; AI agents cannot complete this flow. For CI/CD and automation, use [environment variables](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/environment-variables.md) instead. **Options:** | Option | Type | Required | Description | Default | | ---------------- | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | | `--server`, `-s` | string | No | Your SonarQube Server URL, SonarQube Cloud EU (`https://sonarcloud.io`), or SonarQube Cloud US (`https://sonarqube.us`). When omitted, the CLI prompts you to choose server and region. | - | | `--org`, `-o` | string | No | Your SonarQube Cloud organization key. If omitted when authenticating to SonarQube Cloud, the CLI auto-selects your organization when you belong to exactly one, or prompts you to choose when you belong to multiple organizations. | - | **Examples:** Interactive login (prompts for server type, region, and organization): ```bash sonar auth login ``` Interactive login with a pre-selected server (skips the server and region prompts): ```bash # SonarQube Server (self-hosted) sonar auth login --server # Also works with SonarCloud EU or US region URLs sonar auth login --server "https://sonarcloud.io" sonar auth login --server "https://sonarqube.us" ``` For CI/CD pipelines and headless environments, use [environment variables](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/environment-variables.md) instead of `sonar auth login`. *** ### `sonar auth logout` Remove the active connection token from the keychain. The CLI also best-effort revokes the token server-side when it was created via the interactive browser flow. **Examples:** ```bash sonar auth logout ``` *** ### `sonar auth status` Show the active authentication connection and verify the token against the server. **Examples:** ```bash sonar auth status ``` *** ## `sonar integrate` For step-by-step setup guides, see [Overview](/sonarqube-developer-tools/sonarqube-cli/integrations/integrations.md). ### `sonar integrate claude` Set up the SonarQube integration for Claude Code. Installs secrets-scanning hooks and configures the SonarQube MCP server, SonarQube Agentic Analysis, and Context Augmentation (on SonarQube Cloud). **Options:** | Option | Type | Required | Description | Default | | ------------------- | ------- | -------- | ------------------------------------------------------------------------------ | ------- | | `--project`, `-p` | string | No | Project key. Ignored when `--global` is used. | - | | `--non-interactive` | boolean | No | Non-interactive mode (no prompts). | - | | `--global`, `-g` | boolean | No | Install hooks and config globally to `~/.claude` instead of project directory. | - | | `--skip-context` | boolean | No | Skip the Context Augmentation install and skill setup. | - | **Examples:** ```bash sonar integrate claude -p my-project sonar integrate claude -g sonar integrate claude -p my-project --skip-context ``` *** ### `sonar integrate copilot` Set up the SonarQube integration for GitHub Copilot. Installs secrets-scanning hooks and configures the SonarQube MCP server, SonarQube Agentic Analysis, and Context Augmentation (on SonarQube Cloud). **Options:** | Option | Type | Required | Description | Default | | ----------------- | ------- | -------- | ------------------------------------------------------------------------------- | ------- | | `--global`, `-g` | boolean | No | Install hooks and config globally to `~/.copilot` instead of project directory. | - | | `--project`, `-p` | string | No | Project key. Mutually exclusive with `--global`. | - | | `--skip-context` | boolean | No | Skip the Context Augmentation install and skill setup. | - | **Examples:** ```bash sonar integrate copilot -p my-project sonar integrate copilot -g sonar integrate copilot -p my-project --skip-context ``` *** ### `sonar integrate codex` Set up the SonarQube integration for OpenAI Codex. Installs a `UserPromptSubmit` secrets hook, MCP configuration, and (on SonarQube Cloud, when entitled) Agentic Analysis instructions and Context Augmentation. See [OpenAI Codex](/sonarqube-developer-tools/sonarqube-cli/integrations/codex.md). **Options:** | Option | Type | Required | Description | Default | | ----------------- | ------- | -------- | ---------------------------------------------------------------------------- | ------- | | `--project`, `-p` | string | No | Project key. Mutually exclusive with `--global`. | - | | `--global`, `-g` | boolean | No | Install hook and config globally to `~/.codex` instead of project directory. | - | | `--skip-context` | boolean | No | Skip Context Augmentation install and skill setup. | - | **Examples:** ```bash sonar integrate codex -p my-project sonar integrate codex -g ``` *** ### `sonar integrate git` Install a Git hook that scans staged files (`pre-commit`) or unpushed commits (`pre-push`) for secrets. **Options:** | Option | Type | Required | Description | Default | | ------------------- | ------- | -------- | ------------------------------------------------------------------------------------------------- | ------- | | `--hook` | string | No | Hook to install: `pre-commit` (scan staged files) or `pre-push` (scan files in unpushed commits). | - | | `--force` | boolean | No | Overwrite an existing hook if it is not from `sonar integrate git`. | - | | `--non-interactive` | boolean | No | Non-interactive mode (no prompts). | - | | `--global` | boolean | No | Install hook globally for all repositories (sets `git config --global core.hooksPath`). | - | **Examples:** ```bash sonar integrate git sonar integrate git --hook pre-push sonar integrate git --global sonar integrate git --hook pre-push --global --non-interactive ``` *** ## Analysis ### `sonar analyze` Run every analysis the CLI supports on your local change set: secrets scanning first, then Agentic Analysis (SonarQube Cloud only). This is the recommended command before a commit or pull request. See [Analyzing local changes](/sonarqube-developer-tools/sonarqube-cli/analysis/analyzing-local-changes.md). **Options:** | Option | Type | Required | Description | Default | | ---------- | ------- | -------- | ------------------------------------------------------- | ------- | | `--file` | string | No | Analyze a single file (skips change-set detection). | - | | `--staged` | boolean | No | Analyze staged files only (`git diff --cached`). | - | | `--base` | string | No | Analyze files changed vs a branch or ref (e.g. `main`). | - | | `--force` | boolean | No | Skip the large change-set confirmation prompt. | - | | `--format` | string | No | Output format (`text`, `json`). | `text` | > **Note:** `--branch` and `--project` are available on `sonar analyze agentic` but not on the bare `sonar analyze` command. Use `sonar analyze agentic` when you need those options. **Examples:** ```bash sonar analyze sonar analyze --staged sonar analyze --base main --format json ``` *** ### `sonar analyze secrets` Scan files or standard input for hardcoded secrets. **Arguments:** | Argument | Description | | ---------- | -------------------------------------------- | | `[paths…]` | File or directory paths to scan for secrets. | **Options:** | Option | Type | Required | Description | Default | | ------------------------------- | ------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `--stdin` | boolean | No | Read from standard input instead of paths. | - | | `--disable-entropy-filter` | boolean | No | Report low-entropy matches (e.g. placeholder or example secrets) that would normally be silently dropped. Reported as low-confidence, with the filter name appended to the issue message. | `false` | | `--disable-test-file-detection` | boolean | No | Stop filtering out files automatically identified as test files. Findings in those files are reported as low-confidence, with the filter name appended to the issue message. Has no effect on files explicitly declared as tests via `sonar.tests`. | `false` | **Exit behavior:** exits with code `51` when secrets are found, `0` when none are found. See [Exit codes](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/exit-codes.md). **Examples:** Scan a file: ```bash sonar analyze secrets src/config.ts ``` Scan a directory: ```bash sonar analyze secrets src/ ``` Scan stdin: ```bash cat .env | sonar analyze secrets --stdin ``` Surface low-confidence matches for evaluation: ```bash sonar analyze secrets src/ --disable-entropy-filter --disable-test-file-detection ``` #### `sonar analyze secrets allowlist` Maintain a persistent list of known secrets that the scanner should ignore. Entries are stored as SHA-256 hashes on disk; the file lives next to the CLI binary by default and can be relocated via the `SONAR_SECRETS_CACHE_DIR` environment variable. | Subcommand | Description | | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | `allowlist add [--key ]` | Add a secret interactively or via stdin. The optional `--key` flag provides a human-readable identifier (`[0-9a-zA-Z_-]`). | | `allowlist remove` | Remove an entry by its key. | | `allowlist show` | List all allowlisted keys. | | `allowlist clear` | Remove all entries from the allowlist. | **Examples:** ```bash sonar analyze secrets allowlist add --key test-fixture-aws sonar analyze secrets allowlist show sonar analyze secrets allowlist remove sonar analyze secrets allowlist clear ``` #### Custom secret rules from SonarQube Server When the SonarQube CLI is authenticated, `sonar analyze secrets` automatically downloads and executes custom secret rules (instances of rule template **S6784**) defined on the connected SonarQube Server instance. Rules are cached locally and refreshed on each run. If the download fails, the SonarQube CLI falls back to a stale cache with a warning. No CLI flag is required. Custom secret rules are not yet available on SonarQube Cloud; support is planned. *** ### `sonar analyze agentic` Run server-side SonarQube [Agentic Analysis](https://docs.sonarsource.com/agent-centric-development-cycle/features/agentic-analysis) on local changes (SonarQube Cloud only). Limitations apply; see [Agentic Analysis on sonarsource.com](https://www.sonarsource.com/products/sonarqube/agentic-analysis/). **Options:** | Option | Type | Required | Description | Default | | ----------------- | ------- | -------- | -------------------------------------------------------------- | ------- | | `--file` | string | No | Analyze a single file (skips change-set detection). | - | | `--staged` | boolean | No | Analyze staged files only (`git diff --cached`). | - | | `--base` | string | No | Analyze files changed vs a branch or ref (e.g. `main`). | - | | `--branch` | string | No | Branch name for analysis context. | - | | `--project`, `-p` | string | No | SonarQube Cloud project key (overrides auto-detected project). | - | | `--force` | boolean | No | Skip the large change-set confirmation prompt. | - | | `--format` | string | No | Output format (`text`, `json`). | `text` | > **Note:** The CLI prompts for confirmation when the change set exceeds 50 files. Pass `--force` to skip the prompt, or use `--format json` (which suppresses the prompt automatically). **Exit behavior:** exits with code `51` when issues are reported. See [Exit codes](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/exit-codes.md). **Examples:** ```bash sonar analyze agentic # local change set sonar analyze agentic --file src/app.ts # single file sonar analyze agentic --staged # staged files only sonar analyze agentic --base main # changes vs main ``` *** ### `sonar analyze dependency-risks` Run Software Composition Analysis (SCA) against the project's dependencies and report unresolved dependency risks (vulnerabilities, malware, and prohibited licenses). Requires SonarQube Advanced Security with SCA enabled on the project (SonarQube Cloud, or SonarQube Server 2026.4+). For the full workflow, see [Software Composition Analysis (SCA)](/sonarqube-developer-tools/sonarqube-cli/analysis/sca.md). **Options:** | Option | Type | Required | Description | Default | | ----------------- | ------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | `--project`, `-p` | string | Yes | Project key. | - | | `--format` | string | No | Output format (`table`, `json`). | `table` | | `--statuses` | string | No | Filter by status. Accepts presets (`active` → `NEW,OPEN,CONFIRM`; `to_fix` → `NEW,OPEN,CONFIRM,ACCEPT`; `all` → `NEW,OPEN,CONFIRM,ACCEPT,SAFE,FIXED`) and raw statuses (`NEW`, `OPEN`, `CONFIRM`, `ACCEPT`, `SAFE`, `FIXED`). Comma-separated; case-insensitive; result is the union of every token. | `active` | **Exit behavior:** exits with code `51` when unresolved risks are found, `1` on analysis errors, `0` otherwise. See [Exit codes](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/exit-codes.md). > **Note:** **First run downloads a scanner binary.** SonarQube CLI fetches the `sca-scanner-cli` binary from `binaries.sonarsource.com` and caches it under `~/.sonar/sonarqube-cli/bin/`. Subsequent runs reuse the cached binary. **Examples:** ```bash sonar analyze dependency-risks -p my-project # active risks, table output sonar analyze dependency-risks -p my-project --format json # JSON for agents and scripts sonar analyze dependency-risks -p my-project --statuses to_fix # only what needs fixing sonar analyze dependency-risks -p my-project --statuses all # include accepted and safe ``` *** ### `sonar verify` (deprecated) > **Warning:** **Deprecated.** `sonar verify` runs Agentic Analysis only and prints a deprecation warning. Use [`sonar analyze`](#sonar-analyze) (secrets + agentic) or [`sonar analyze agentic`](#sonar-analyze-agentic) instead. Accepts the same options as `sonar analyze agentic`. **Examples:** ```bash sonar verify --staged # prefer: sonar analyze agentic --staged ``` *** ### `sonar remediate` Trigger AI-agent remediation for eligible issues (SonarQube Cloud only). Eligibility is determined server-side: only issues the SonarQube remediation agent can fix are surfaced. **Options:** | Option | Type | Required | Description | Default | | ----------------- | ------ | -------- | ----------------------------------------------------------------------------------------------------- | ------- | | `--project`, `-p` | string | No | SonarQube Cloud project key (overrides auto-detected project). | - | | `--issues` | string | No | Comma-separated issue keys to remediate non-interactively (max 20). Required when stdin is not a TTY. | - | **Examples:** Pick issues interactively: ```bash sonar remediate -p my-project ``` Non-interactively remediate specific issues (suitable for scripts): ```bash sonar remediate -p my-project --issues issue-key-1,issue-key-2 ``` *** ## Information ### `sonar list issues` Search for issues in a SonarQube project. **Options:** | Option | Type | Required | Description | Default | | ----------------- | ------ | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `--project`, `-p` | string | Yes | Project key. | - | | `--statuses` | string | No | Filter by status (comma-separated list of: `OPEN`, `CONFIRMED`, `FALSE_POSITIVE`, `ACCEPTED`, `FIXED`). | - | | `--severities` | string | No | Filter by severity (comma-separated list of: `INFO`, `MINOR`, `MAJOR`, `CRITICAL`, `BLOCKER`). | - | | `--format` | string | No | Output format (`json`, `toon`, `table`, `csv`); see [Output formats](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/output-formats.md). | `json` | | `--branch` | string | No | Branch name. | - | | `--pull-request` | string | No | Pull request ID. | - | | `--page-size` | number | No | Page size (1-500). | `500` | | `--page` | number | No | Page number. | `1` | **Examples:** ```bash sonar analyze secrets src/config.ts ``` Scan multiple files for hardcoded secrets. ```bash sonar analyze secrets src/file1.ts src/file2.ts ``` Scan stdin for hardcoded secrets. ```bash cat .env | sonar analyze secrets --stdin ``` *** ### `sonar list projects` Search for projects the active token can access. **Options:** | Option | Type | Required | Description | Default | | --------------- | ------ | -------- | ----------------------------------------------- | ------- | | `--query`, `-q` | string | No | Search query to filter projects by name or key. | - | | `--page` | number | No | Page number. | `1` | | `--page-size` | number | No | Page size (1-500). | `500` | Output is always JSON. Pipe through `jq` if you need to transform it. **Examples:** ```bash sonar list projects sonar list projects -q my-project sonar list projects --page 2 --page-size 50 ``` *** ### `sonar api` Make authenticated requests to any SonarQube Web API endpoint. Useful for advanced workflows that aren't covered by other commands. **Arguments:** | Argument | Description | | ------------ | ------------------------------------------------------------------------ | | `` | HTTP method (`get`, `post`, `patch`, `put`, `delete`). | | `` | API endpoint path. Must start with `/` and can contain query parameters. | **Options:** | Option | Type | Required | Description | Default | | ----------------- | ------- | -------- | ------------------------------------------------------------------ | ------- | | `--data`, `-d` | string | No | JSON string for the request body. See request body encoding below. | - | | `--verbose`, `-v` | boolean | No | Print request and response details for debugging. | - | > **Note:** **Request body encoding.** The CLI picks an encoding based on the endpoint path: > > * Endpoints starting with `/api/v2/`, or endpoints that don't start with `/api/`, receive a JSON body (`Content-Type: application/json`). > * All other endpoints (the SonarQube Web API v1, paths under `/api/`) receive URL-encoded form data (`Content-Type: application/x-www-form-urlencoded`). > > This matches what each Web API endpoint expects. You don't need to override it. **Examples:** List favorite projects: ```bash sonar api get "/api/favorites/search" ``` Search for rules in an organization: ```bash sonar api get "/api/rules/search?organization=my-org&languages=ts" ``` Generate a new user token: ```bash sonar api post "/api/user_tokens/generate" --data '{"name":"my-new-token"}' ``` Accept an issue: ```bash sonar api post "/api/issues/do_transition" --data '{"issue":"AYx1z2","transition":"accept"}' ``` Debug a request: ```bash sonar api get "/api/system/status" --verbose ``` Get the current analysis engine JAR info (V2 API): ```bash sonar api get "/analysis/engine" ``` Revoke a user token: ```bash sonar api post "/api/user_tokens/revoke" --data '{"name":"my-token"}' ``` *** ## Configuration ### `sonar config telemetry` Enable or disable the collection of anonymous usage statistics and crash reports. See [Telemetry and privacy](/sonarqube-developer-tools/sonarqube-cli/administration/telemetry-and-privacy.md) for what's collected. **Options:** | Option | Type | Required | Description | Default | | ------------ | ------- | -------- | ------------------------------------------------- | ------- | | `--enabled` | boolean | No | Enable collection of anonymous usage statistics. | - | | `--disabled` | boolean | No | Disable collection of anonymous usage statistics. | - | **Examples:** ```bash sonar config telemetry --enabled sonar config telemetry --disabled ``` *** ## Maintenance ### `sonar self-update` Update the CLI to the latest version. Re-uses the install script that put `sonar` on your system; your saved state and credentials are preserved. See [Updating the CLI](/sonarqube-developer-tools/sonarqube-cli/administration/self-update.md) for details. **Options:** | Option | Type | Required | Description | Default | | ---------- | ------- | -------- | ------------------------------------------------------ | ------- | | `--status` | boolean | No | Check for a newer version without installing. | - | | `--force` | boolean | No | Install the latest version even if already up to date. | - | **Examples:** ```bash sonar self-update sonar self-update --status sonar self-update --force ``` ## Related pages * [Environment variables](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/environment-variables.md) * [Output formats](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/output-formats.md) * [Exit codes](/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/exit-codes.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sonarsource.com/sonarqube-developer-tools/sonarqube-cli/using-sonarqube-cli/commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.