SonarQube CLI v1.0.0

This milestone marks SonarQube CLI becoming an official public release and getting out of open beta.

SonarQube CLI 1.0 makes SonarQube a practical day-to-day tool in the terminal. It helps developers catch secrets, surface code quality and security issues on local work, and plug SonarQube into AI assistants, git hooks, and automation so feedback arrives earlier than CI.

The main commands are simple: sonar auth connects to SonarQube, sonar analyze runs local analysis workflows, sonar list queries projects and issues, and sonar integrate sets up agent and git integrations. That gives teams one CLI for interactive use, scripting, and AI-assisted development.

For more information, explore our interactive command browser, or dive into the detailed documentation.

This specific version introduces the sonar system status and sonar system reset commands, a fully interactive sonar integrate experience, automatic project discovery from Git remotes, and a wide range of polish and bug fixes across the board.

Features

• New sonar system status command: It provides a full overview of your CLI health — authentication, installed binaries, active integrations, MCP server state, and recommended actions. Supports --json for agent consumption.
• New sonar system reset command: It cleanly uninstalls all Sonar-managed integrations, hooks, binaries, and auth state, conducting a "factory-reset" and leaving your environment as it was before setup.
• New --project option for sonar analyze: The sonar analyze command now accepts a --project flag, consistent with how it is advertised in command help.
• Revamped, interactive sonar integrate command: Claude Code, Copilot, Codex, and Git integrations now present a per-feature opt-in prompt during installation, giving users fine-grained control over what gets installed and where (global vs. project scope). The command now offers a refreshed UI and consistent display for all subcommands.
• Auto-discovery of project binding from Git remote: When no local project config is found, the CLI now queries the server using the repository's origin remote URL to automatically resolve the project key and organization.
• New PostToolUse hook for Codex: sonar integrate codex now installs a PostToolUse: apply_patch hook that runs Agentic Analysis inline after each file edit, mirroring the Claude Code hook experience.
• sonar auth login confirmation prompt: The confirmation dialog now clearly displays the URL you are connecting to (e.g. Connect to: https://your-server.com?) for a more secure experience.
• Agentic Analysis skipped during global agent integration: sonar integrate <agent> --global no longer writes project-scoped Agentic Analysis hooks or instruction files; users are advised to run without --global if they want analysis hooks.

Bug Fixes

• Fixed sonar analyze --file output: Running sonar analyze --file <path> without a configured project no longer prints the full help menu; the secrets success message now reads "Secrets scan completed successfully", and excess blank lines have been removed.
• Fixed Codex AGENTS.md path: sonar integrate codex now correctly writes AGENTS.md at the repository root instead of .codex/AGENTS.md.
• Reduced macOS Keychain prompts: Fixed a code-signing identifier issue that caused macOS to show a Keychain access dialog on every invocation after sonar self-update. The binary now uses a stable, version-independent identifier so the Keychain ACL remains valid across updates.
• Line endings preserved on managed file writes: The CLI now detects and preserves existing line endings (CRLF / LF) when writing or updating managed resource blocks, preventing unintended line-ending changes on Windows.

Miscellaneous

• Dynamically built help menu: The sonar root help is now built dynamically, ensuring commands, subcommands, and descriptions are always up to date.

SonarQube CLI v0.14.1

This release fixes a bug in the context augmentation skill output, and a bug in the sonar integrate command that was overwriting AGENTS.md.

Bug Fixes

• Context augmentation skill: Fixed an issue where the generated skill file (e.g., SKILL.md for Claude, Copilot, or Codex integrations) instructed agents to invoke the raw sonar-context-augmentation binary directly instead of the correct sonar context wrapper command.
• AGENTS.md: Fixed an issue where sonar integrate for Copilot and Codex was overwriting the whole AGENTS.md file instead of appending content to it.

SonarQube CLI v0.14.0

This release introduces Codex support alongside Context Augmentation, which equips AI assistants with crucial code architecture and SonarQube-based coding guidelines. We’ve also added Software Composition Analysis (SCA) to proactively flag security and license issues in your project dependencies. Finally, the CLI gets a major usability boost with streamlined authentication, installation, and error handling.

Features

• Codex integration: Added sonar integrate codex, including prompt secret-scanning hooks, Codex instructions, and SonarQube MCP configuration.
• Context Augmentation: Added the sonar context command and setup for supported Claude, Copilot, and Codex integrations.
• Dependency risk analysis: Added sonar analyze dependency-risks to analyze project dependencies for security and license risks.
• Analysis command: sonar analyze is now the primary entry point for Agentic Analysis.
• Authentication flow: sonar auth login now guides Server vs Cloud selection and confirms the selected server before continuing.
• Telemetry: Setting the DO_NOT_TRACK=1 environment variable now disables both usage telemetry and crash reporting. sonar config telemetry reports when telemetry is disabled this way.
• Project auto-resolution: The CLI now explicitly shows when and how a project key was resolved automatically, removing implicit "magic" from the output.

Bug Fixes

• Error handling: Fixed CLI and API error rendering so common failures now show clearer and more consistent remediation hints.
• Agentic Analysis feedback: Fixed cases where SonarQube Agentic Analysis could be skipped silently; the CLI now reports the problem explicitly.
• Installation compatibility: Unix release artifacts now use the .bin extension, and the install scripts automatically fall back to .exe for older releases.

Miscellaneous

• Removed sonar auth purge and the --with-token login option. For CI and automation, use environment variables instead.
• Continued foundational work on declarative integration management and Context Augmentation support across agent integrations.

SonarQube CLI v0.13.0

This release includes enhancement of GitHub Copilot integration with Agentic Analysis, and several improvements to error handling and integrations.

Features

• GitHub Copilot Integration: Added Agentic Analysis integration for Copilot CLI, instructing Copilot to automatically analyze modified files during sessions
• Enhanced Error Messages: Errors now include helpful remediation hints showing you how to fix common issues
• Debug Logging: sonar run mcp now logs the exact container command being executed in debug mode

Bug Fixes

• Fixed Git hooks to fail gracefully when the CLI crashes outside CI environments, preventing blocked commits while still failing hard in CI pipelines

Miscellaneous

• Continued foundational work on the upcoming SCA dependency analysis command, including downloading the SCA scanner binary for the current platform and wiring it into the analysis pipeline (not yet user-facing).
• Introduced an internal declarative framework for describing and managing integrations (foundational scaffolding for future integration improvements).
• Internal fixes to the automated documentation version update process.

SonarQube CLI v0.12.0

This release significantly expands the agentic analysis capabilities of the CLI and introduces sonar remediate — a new command to submit issues for automated fixing via the SonarQube Remediation Agent.

Features

• Agentic Analysis from the Working Tree: sonar analyze agentic (renamed from sonar analyze sqaa) now automatically detects your Git change set — no --file argument needed. By default it analyzes staged and unstaged changes plus untracked files.

  • Use --staged to restrict to staged files only, or --base <ref> to diff against a branch or commit.
  • Live per-file progress is displayed in TTY environments. Use --format json for structured output compatible with piping.
  • Binary files and files above 10 MB are automatically excluded and reported. Exit code 51 signals issues were found; 0 means clean.

• Issue Remediation: New sonar remediate command lets you interactively select open issues fixable by the SonarQube Remediation Agent and submit them as a single job — without leaving the terminal.

  • Use --issues <key>,<key> for non-interactive mode, suitable for use with AI agents such as Claude Code.
  • Available on SonarQube Cloud only. A pre-flight entitlement check catches unsupported plans with a clear message before hitting the API.

• Improved Project Key Guidance: When no project key is detected, the CLI now explains how to configure one via sonar-project.properties or .sonarlint/connectedMode.json.

• Updated Bundled Text Analyzer: Updated to version 2.43.0.11106, adding new detection rules for lock files across multiple languages and support for user-defined issue messages for S6784.

Bug Fixes

• Agentic Analysis Hook: Fixed an issue where file paths containing .. or ~ components were sent to the server unnormalized, causing 400 errors in the PostToolUse hook

SonarQube CLI v0.11.0

This release introduces seamless integration with Copilot CLI, allowing you to leverage SonarQube’s intelligence directly within your AI-assisted workflows.

Features

• Copilot CLI Integration: Added the sonar integrate copilot command. This automates the setup for the SonarQube MCP Server and installs a pre-tool-use secrets-scanning hook.
  -- Note: This also generates an instructions.md file to help Copilot identify and block prompts containing sensitive information.
• Simplified MCP Configuration: Added the sonar run mcp command, designed to be used in agent configuration files. Once authenticated via the CLI, the SonarQube MCP Server can be initialized automatically by your AI agent without additional manual configuration.

SonarQube CLI v0.10.0

New Features & Enhancements

• Platform Support: Added support for Linux ARM64. Thanks to @mcfedr for the contribution!
• Issue Filtering: Added the ability to filter issues by statuses and by severities simultaneously.
• Environment Variables in Auth: sonar auth status now properly displays when a connection is being sourced from environment variables.
• Agentic analysis: Added a clear warning when no project is configured for SonarQube Agentic Analysis.

Security & Authentication

• Keychain Migration: Replaced the external keytar dependency with Bun.secrets for native OS backend keychain management, simplifying token state management and removing the need for macOS entitlements.
• Token Validation & Generation: * sonar auth status now actively checks if the current token is valid.
  • Adjusted the token generation URL to support SonarQube Server 2026.2+.

Bug Fixes

• Hooks: Fixed an issue to ensure pre-commit hooks are not duplicated.
• SonarQube Cloud US Region Support: Fixed an issue where Cloud API calls were hardcoded to the EU base URL, breaking SQC US environments, and properly added SQC US auth/mentions to the CLI help and README.

Performance & Installation

• Windows Installation: Sped up install.ps1 by silencing the progress bar.

SonarQube CLI v0.9.0

This release makes possible to run any SonarQube capability from the CLI through SonarQube Web APIs

Features

• Generic API command sonar api.
  Power users can now invoke any SonarQube Server or SonarQube Cloud HTTP endpoint directly from the CLI, enabling full Web API integration beyond built-in commands

Bug fixes

• Project key detection — The project key is now correctly resolved from
  .sonarlint/connectedMode.json when present in the workspace.
• Pre-commit hook — Fixed a failure in the pre-commit hook when the sonar
  CLI is not installed on the machine.
• Telemetry initialization — Fixed incorrect Sentry SDK initialization:
  the CLI now uses the correct @Sentry/node package instead of
  @Sentry/bun.

SonarQube CLI v0.8.1

This is a bugfix release. It fixes the problem with keystore on Mac that was preventing users from logging in.

SonarQube CLI v0.8.0

This release introduces several improvements and fixes some bugs.

Features

• Improve the help command and provide a quickstart guide
• Rename authentication environment variables
  • SONAR_CLI_TOKEN -> SONARQUBE_CLI_TOKEN
  • SONAR_CLI_SERVER -> SONARQUBE_CLI_SERVER
  • SONAR_CLI_ORG -> SONARQUBE_CLI_ORG
• Sign macOS binary with Apple Developer ID to avoid frequent Keychain Access prompts
• sonar self-update updates the secrets binary if it was previously installed
• Collect uncaught exceptions with Sentry

Bug Fixes

• Do not require organization key when doing auth logout