SonarQube agent integrations
Made by Sonar
Automatically enforce SonarQube code quality and security in the agent coding loop — 7,000+ rules, secrets scanning, agentic analysis, and quality gates across 40+ languages.
SonarQube combines deterministic checks with AI-assisted workflows so quality rules apply consistently to code from both developers and agents. Where your stack supports it, analysis and secrets scanning can run inside the agent loop instead of only in CI.
What do the plugins include
The Plugin helps agents connect to SonarQube CLI and SonarQube MCP Server for issue detection, checking project metrics such as test coverage and duplications, fetch dependency risks, etc. Claude Code, Copilot CLI, Codex, and Antigravity (through SonarQube CLI) install agent hooks for secrets scanning and, when entitled, Agentic Analysis.
How to use: Run /sonarqube:sonar-integrate after installation to walk through setup — CLI installation, authentication, and wiring up the MCP Server and hooks. From there, use slash commands like /sonarqube:sonar-quality-gate to check quality gates or interact naturally with prompts like "analyze my code for issues," "show open SonarQube findings," or "check my coverage." With Agentic Analysis enabled, verification happens automatically after each edit with no manual invocation required.
Prerequisites
- A SonarQube account (SonarQube Cloud, Server, or Community Build). Some features (for example Agentic Analysis) depend on your SonarQube Cloud organization settings.
- SonarQube CLI (
sonar) on your machine.
- A container runtime (Docker, Podman, or Nerdctl) for the MCP server image.
Authenticate once with sonar auth login (browser flow; credentials stay in your OS keychain). The MCP server uses that login.
Check auth anytime:
sonar auth status
How plugins connect to SonarQube
Claude Code and GitHub Copilot CLI
SonarQube CLI can wire everything for you:
sonar integrate claude # Claude Code: MCP, hooks, secrets scanning, etc.
sonar integrate copilot # GitHub Copilot CLI: MCP, hooks, secrets scanning, etc.
sonar integrate codex # Codex: MCP, hooks, secrets scanning, Agentic Analysis hook
sonar integrate antigravity # Antigravity: hooks, instructions, CAG, MCP patch (after plugin install)
Run these after sonar auth login. Use the /sonarqube:sonar-integrate skill if you prefer a guided flow (install/update CLI, login, then integrate).
Other agents (Cursor, Kiro)
Each layout includes MCP configuration (for example mcp.json or kiro-power/mcp.json) that runs the mcp/sonarqube image and relies on SonarQube CLI for authentication—the same sonar auth login session.
Antigravity (two-step setup)
Antigravity uses two independent install surfaces. For full parity with Claude/Copilot you need both:
| Step | Command | What it installs |
|---|
| 1. Plugin bundle | agy plugin install <git-url|path> | Skills, agent rules (rules/sonarqube.md), MCP (mcp_config.json) |
| 2. CLI integrate | sonar integrate antigravity | Secrets hooks, Agentic Analysis instructions, Context Augmentation, MCP patch |
There is no @vendor marketplace install (for example sonarqube@sonar is not supported). Use a Git URL, archive, or local path.
Repository layout
| Agent | Location |
|---|
| Claude Code | .claude-plugin/, skills/, claude-hooks/, scripts/ |
| Cursor | .cursor-plugin/ (+ shared mcp.json) |
| GitHub Copilot CLI | .github/plugin/ (+ shared mcp.json) |
| Codex | .codex-plugin/ |
| Antigravity | plugin.json, mcp_config.json, rules/, shared skills/ |
| Gemini CLI (legacy) | gemini-extension.json, GEMINI.md |
| Kiro | kiro-power/ |
Usage
Skills are the same across agents. Ask in natural language, invoke skills explicitly, or use the SonarQube MCP tools your client shows after MCP starts.
MCP reference: SonarQube MCP Server docs.
Skills
Set up
/sonarqube:sonar-integrate
