Developer

SonarQube CLI

The SonarQube CLI brings code quality and security analysis into your terminal, your scripts, and your AI coding sessions, without waiting for CI/CD.

The SonarQube CLI (sonar) is a command-line companion for SonarQube Cloud and SonarQube Server. It lets you scan for secrets, analyze local changes, query projects and issues, and wire SonarQube into AI coding assistants, all from your terminal.

Project links: cli.sonarqube.com · GitHub repository · Command reference (HTML) · Releases

What it does

Some features run against either SonarQube Cloud or SonarQube Server; others are currently SonarQube Cloud only. The list below marks each one.

Available with both SonarQube Cloud and SonarQube Server:

🔒 Detect secrets before they leak. Scan files, standard input, Git commits, or AI tool calls for hardcoded credentials. See Secrets scanning.
📦 Scan dependencies for vulnerabilities, malware, and prohibited licenses. sonar analyze dependency-risks runs Software Composition Analysis (SCA) on your project's dependencies. This command is in beta and subject to change. Available on SonarQube Cloud and on SonarQube Server 2026.4+ when Advanced Security with SCA is enabled. See Software Composition Analysis (SCA).
⚡ Get fast feedback on local changes. sonar analyze runs every analysis the CLI supports on your uncommitted work. The secrets-scanning portion runs against both SonarQube Cloud and SonarQube Server. Agentic Analysis is available only on SonarQube Cloud. See Analyzing local changes.
🤖 Integrate with AI coding agents. Install hooks and MCP servers for Claude Code, GitHub Copilot, and OpenAI Codex in one command. See Overview.
📊 Script and automate. List your projects, and surface issues in JSON, CSV, TOON, or table format for dashboards, analytics, and pipelines.
🔗 Call the SonarQube API. Make authenticated requests to any SonarQube Web API endpoint with sonar api.

SonarQube Cloud only:

🧠 Run Agentic Analysis on local changes. Get server-grade results on your uncommitted diff in your terminal, powered by SonarQube Cloud's Agentic Analysis. Runs as part of sonar analyze. See Analyzing local changes.
🛠 Trigger AI-assisted fixes. Send eligible issues to the SonarQube Cloud remediation agent and apply suggested fixes. See AI remediation.

For a full reference of every command, option, and example, see Commands reference.

Three ways to use the CLI

Everyone starts the same way: follow Quickstart guide to install, authenticate, and run your first command. Then dig into the workflow that matches your use case:

Use case

Where to go next

Run commands interactively in your terminal

Commands reference (full command reference)

Plug SonarQube into Claude Code, GitHub Copilot, or Codex

Overview

Script the CLI in CI/CD or automation

Environment variables + Exit codes

SonarQube CLI vs. SonarScanner CLI

These two products serve different purposes. Choose based on what you're trying to do:

The SonarQube CLI (sonar, this product) is for developers and AI agents working in their terminal. It interacts with an existing SonarQube project and exposes secrets scanning, local change analysis, AI remediation, and project/issue lookup.
The SonarScanner CLI (sonar-scanner) is the code analysis scanner used to ingest projects from CI/CD pipelines into SonarQube. See the SonarScanner CLI docs for SonarQube Server or SonarQube Cloud.

Prerequisites

A SonarQube Cloud organization or a SonarQube Server instance.
A SonarQube user token to authenticate with, not a project, global, or organization-scoped token.
A supported operating system:
- Linux x86-64 or ARM64
- macOS ARM64 (Apple Silicon)
- Windows x86-64

Warning: macOS Intel is not supported. The installer only ships a macos-arm64 binary. Apple Silicon Macs (M1/M2/M3/M4) work natively; Intel Macs are not currently supported.

Warning: User tokens are required when authenticating your SonarQube CLI with SonarQube Cloud or SonarQube Server. The CLI won't function properly if project tokens, global tokens, or scoped organization tokens are used during setup.

What a session looks like

A typical first run:

# Install (see the quickstart for Windows)
curl -o- https://raw.githubusercontent.com/SonarSource/sonarqube-cli/refs/heads/master/user-scripts/install.sh | bash

# Authenticate (opens your browser)
sonar auth login

# Find a secret in a file
sonar analyze secrets src/config.ts

# List open issues in a project
sonar list issues -p my-project --format table

# Analyze your staged changes against SonarQube Cloud
sonar analyze --staged

For AI agents reading this page

If you are an AI coding assistant reading these docs, a machine-readable command reference is published at cli.sonarqube.com/llms.txt and a structured JSON schema at cli.sonarqube.com/data/commands.json.

Feedback

Share what's working, what isn't, and what you'd like next:

General questions and ideas: the Sonar Community forum.
Bugs and crashes: github.com/SonarSource/sonarqube-cli/issues.
Feedback form: share your impressions.

NextQuickstart guide

Last updated 2 days ago

Was this helpful?