BetaDeveloper

Environment variables

Configure the SonarQube CLI non-interactively for CI/CD pipelines, container builds, and headless environments.

Warning: This product is in Beta stage and we may release breaking changes.

Use environment variables to configure the SonarQube CLI without running sonar auth login—the recommended approach for CI/CD pipelines, container images, AI agent runners, and other headless environments.

Warning: WSL users: sonar auth login relies on system keychain access, which is not available in WSL. Use the variables below to authenticate instead.

Authentication

Set these variables to supply credentials directly. When the CLI finds a valid combination, it uses them immediately and ignores any saved connection from sonar auth login.

Variable

Description

Default

SONARQUBE_CLI_TOKEN

Your user token. Required for environment variable authentication.

SONARQUBE_CLI_ORG

Your SonarQube Cloud organization key. Use together with SONARQUBE_CLI_TOKEN to authenticate with SonarQube Cloud.

SONARQUBE_CLI_SERVER

Your server URL. Use together with SONARQUBE_CLI_TOKEN to authenticate with SonarQube Server. For SonarQube Cloud, use together with SONARQUBE_CLI_ORG and set to https://sonarcloud.io (EU region) or https://sonarqube.us (US region).

https://sonarcloud.io (when SONARQUBE_CLI_ORG is set)

SONARQUBE_CLI_TOKEN must be paired with either SONARQUBE_CLI_ORG or SONARQUBE_CLI_SERVER — or both — to connect:

SonarQube Cloud, EU region: SONARQUBE_CLI_TOKEN + SONARQUBE_CLI_ORG. SONARQUBE_CLI_SERVER defaults to https://sonarcloud.io.
SonarQube Cloud, US region: SONARQUBE_CLI_TOKEN + SONARQUBE_CLI_ORG + SONARQUBE_CLI_SERVER=https://sonarqube.us.
SonarQube Server: SONARQUBE_CLI_TOKEN + SONARQUBE_CLI_SERVER.

Warning: User tokens are required when authenticating your SonarQube CLI with SonarQube Cloud or SonarQube Server. The CLI won't function properly if project tokens, global tokens, or scoped organization tokens are used during setup.

Precedence

When the CLI resolves credentials, it applies the following order:

Environment variables, if a valid combination is set, win over everything else.
Saved connection from sonar auth login (token from the system keychain) is used otherwise.
If neither is available, the command fails with an authentication error.

If SONARQUBE_CLI_TOKEN is set but its required pair (SONARQUBE_CLI_ORG or SONARQUBE_CLI_SERVER) is missing, the CLI prints a warning and falls back to step 2.

Note: These variable names (SONARQUBE_CLI_*) are specific to the SonarQube CLI. The SonarQube MCP Server uses a different set (SONARQUBE_TOKEN, SONARQUBE_URL, SONARQUBE_ORG). They do not interfere with each other.

Secrets scanning

Variable

Description

Default

SONAR_SECRETS_CACHE_DIR

Directory where sonar analyze secrets stores the allowlist of known secrets (see Secrets scanning).

Next to the CLI binary

Examples

Authenticate in a shell

SonarQube Cloud, EU region:

export SONARQUBE_CLI_TOKEN=<YourUserToken>
export SONARQUBE_CLI_ORG=<YourOrganizationKey>
sonar list issues -p <YourProjectKey>

SonarQube Cloud, US region:

export SONARQUBE_CLI_TOKEN=<YourUserToken>
export SONARQUBE_CLI_ORG=<YourOrganizationKey>
export SONARQUBE_CLI_SERVER=https://sonarqube.us
sonar list issues -p <YourProjectKey>

SonarQube Server:

export SONARQUBE_CLI_TOKEN=<YourUserToken>
export SONARQUBE_CLI_SERVER=<YourSonarQubeServerURL>
sonar list issues -p <YourProjectKey>

SonarQube Cloud, EU region:

$env:SONARQUBE_CLI_TOKEN = "<YourUserToken>"
$env:SONARQUBE_CLI_ORG = "<YourOrganizationKey>"
sonar list issues -p <YourProjectKey>

SonarQube Server:

$env:SONARQUBE_CLI_TOKEN = "<YourUserToken>"
$env:SONARQUBE_CLI_SERVER = "<YourSonarQubeServerURL>"
sonar list issues -p <YourProjectKey>

These variables exist only for the current PowerShell session. To persist them across sessions, use setx or set them via System Properties > Environment Variables.

Use the CLI in a CI/CD pipeline

Store your token as a CI secret (SONARQUBE_TOKEN in the examples below) and inject it as SONARQUBE_CLI_TOKEN.

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install SonarQube CLI
        run: curl -o- https://raw.githubusercontent.com/SonarSource/sonarqube-cli/refs/heads/master/user-scripts/install.sh | bash
      - name: Scan for secrets
        env:
          SONARQUBE_CLI_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
          SONARQUBE_CLI_ORG: my-org
        run: |
          export PATH="$HOME/.local/share/sonarqube-cli/bin:$PATH"
          sonar analyze secrets .

sonar-secrets:
  image: ubuntu:latest
  variables:
    SONARQUBE_CLI_TOKEN: $SONARQUBE_TOKEN
    SONARQUBE_CLI_ORG: my-org
  before_script:
    - apt-get update && apt-get install -y curl
    - curl -o- https://raw.githubusercontent.com/SonarSource/sonarqube-cli/refs/heads/master/user-scripts/install.sh | bash
    - export PATH="$HOME/.local/share/sonarqube-cli/bin:$PATH"
  script:
    - sonar analyze secrets .

sonar analyze secrets exits with code 51 when a secret is found, which fails the job by default. See Exit codes for the full list.

PreviousCommands reference NextOutput formats

Last updated 12 days ago

Was this helpful?