By SonarSource
Review code against SonarQube quality and security standards during development: catch bugs, vulnerabilities, secrets, and code smells across 40+ languages. Automatically fix issues with minimal changes, check test coverage and duplication, and enforce quality gates before merging.
Analyze a file or code snippet for quality and security issues using SonarQube
Find files with low test coverage and inspect uncovered lines in a SonarQube project (project key optional when MCP integration already defines the default project)
Search for software composition analysis (SCA) dependency risks in a SonarQube project (project key optional when MCP integration already defines the default project)
Find files with code duplications in a SonarQube project and inspect duplication blocks for a file (project key optional when MCP integration already defines the default project)
Fix a specific SonarQube issue in code by rule key and location
Based on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
Uses power tools
Uses Bash, Write, or Edit tools
Uses power tools
Uses Bash, Write, or Edit tools
Made by Sonar
SonarQube is the AI code quality and security verification platform used by millions of developers to catch bugs, vulnerabilities, and leaked secrets. This plugin enforces those standards in the agent coding loop: 7,500+ distinct issue types, secrets scanning, agentic analysis, and quality gates across 40+ languages.
SonarQube combines deterministic checks with AI-assisted workflows so quality rules apply consistently to code from both developers and agents. Where your stack supports it, analysis and secrets scanning can run inside the agent loop instead of only in CI.
The Plugin helps agents connect to SonarQube CLI and SonarQube MCP Server for issue detection, checking project metrics such as test coverage and duplications, fetch dependency risks, etc. Claude Code, Copilot CLI, Codex, and Antigravity (through SonarQube CLI) install agent hooks for secrets scanning and, when entitled, Vortex agentic analysis.
How to use: Run /sonarqube:sonar-integrate after installation to walk through setup — CLI installation, authentication, and wiring up the MCP Server and hooks. From there, use slash commands like /sonarqube:sonar-quality-gate to check quality gates or interact naturally with prompts like "analyze my code for issues," "show open SonarQube findings," or "check my coverage." With Vortex agentic analysis enabled, verification happens automatically after each edit with no manual invocation required.
sonar) on your machine.Authenticate once with sonar auth login (browser flow; credentials stay in your OS keychain). The MCP server uses that login.
Check auth anytime:
sonar auth status
SonarQube CLI can wire everything for you:
sonar integrate claude # Claude Code: MCP, hooks, secrets scanning, etc.
sonar integrate copilot # GitHub Copilot CLI: MCP, hooks, secrets scanning, etc.
sonar integrate codex # Codex: MCP, hooks, secrets scanning, Vortex agentic analysis hook
sonar integrate antigravity # Antigravity: hooks, instructions, CAG, MCP patch (after plugin install)
sonar integrate cursor # Cursor: MCP, secret-scanning hooks, Vortex agentic analysis instructions
Run these after sonar auth login. Use the /sonarqube:sonar-integrate skill if you prefer a guided flow (install/update CLI, login, then integrate).
Install from Anthropic's marketplace claude-plugins-official:
/plugin install sonarqube@claude-plugins-official
claude plugin install sonarqube@claude-plugins-official
scripts/setup.js)./sonarqube:sonar-integrate or sonar auth login + sonar integrate claude.sonar auth login by scenario:
| Scenario | Command |
|---|---|
| SonarQube Cloud (EU) | sonar auth login -o <org-key> |
| SonarQube Cloud (US) | sonar auth login -o <org-key> -s https://sonarqube.us |
| SonarQube Server | sonar auth login -s <server-url> |
Optional: add sonar-project.properties in the project root with sonar.projectKey, sources, etc.
Plugin bundle: .github/plugin/.
Install sonarqube from the pre-packaged awesome-copilot plugins catalog:
/plugin install sonarqube@awesome-copilot
Run sonar integrate copilot, or invoke the /sonarqube:sonar-integrate skill.
Same workflows as Usage once MCP is connected.
.cursor-plugin/ with MCP via mcp.json.
/add-plugin sonarqube
sonar integrate cursor, or invoke the /sonarqube:sonar-integrate skill.Repo-root plugin: plugin.json, mcp_config.json, rules/sonarqube.md, and shared skills/. Hooks and managed instructions are not in the plugin bundle—they are installed by sonar integrate antigravity.
# 1. Plugin bundle — skills, rules, MCP
agy plugin install https://github.com/SonarSource/sonarqube-agent-plugins
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimclaude plugin install sonarqube@claude-plugins-officialCurator - Ancient guardian of code excellence. Orchestrates 5 quality gates (Static Analysis, Test Coverage, Security Scanning, Complexity Analysis, Dependency Health) in a unified flow. Ensures pristine code through Forerunner precision and automated enforcement.
Proactive bug finding with static and semantic analysis
Open-source cybersecurity analysis agent. Scans any local project for vulnerabilities: code security (SAST), dependency CVEs (SCA), secret leaks, authentication/authorization flaws, cryptographic weaknesses, misconfigurations, supply chain risks, and CI/CD security. Covers all OWASP 2025 Top 10 and CWE Top 25 categories. Generates prioritized reports with remediation guidance. Invoke with /cyber-neo [path].
Comprehensive security toolkit for vulnerability scanning, secrets detection, and dependency auditing. Includes security architect agent for strategic security assessment and remediation planning.
Automated code review, security scanning, and quality enforcement
Security scanning, dependency CVE audits, and exposure-aware risk prioritization.