sonarqube Plugin
Plugin Claude Code Security Code Quality, Review & TestingSecurity, Auth & ComplianceClaude Code Customization & WorkflowThe explanation below is AI-generated. Please verify it against the sources.
This plugin brings SonarQube's code quality and security verification into the agent coding loop for Claude Code, GitHub Copilot CLI, Codex, Antigravity, Cursor, Kiro, and legacy Gemini CLI, according to the README. It bundles SonarQube CLI, the SonarQube MCP Server, skills, hooks, and slash commands, and enforces checks across 7,500+ distinct issue types, secrets scanning, and quality gates spanning 40+ languages. Where the agent supports it (e.g. Codex), a PostToolUse hook runs analysis on the changed code after each edit, and when Agentic Analysis is entitled, verification happens automatically with no manual invocation. Slash commands give on-demand access to project lists, issue lists, quality gate status, coverage, duplication, and dependency risks. Setup requires a SonarQube account (Cloud, Server, or Community Build), the SonarQube CLI, and a container runtime (Docker, Podman, or Nerdctl) for the MCP server image.
Overview
According to the homepage and README, SonarQube is a code quality and security verification platform used to catch bugs, vulnerabilities, and leaked secrets in code written by both developers and AI agents. The homepage lists related products including SonarQube Cloud, SonarQube Server, SonarQube for IDE, SonarQube Advanced Security, Gitar, and the MCP Server/CLI, and states it is used by over 7 million developers and 75% of the Fortune 100.
What you can do with sonarqube
- Run /sonarqube:sonar-integrate to walk through CLI installation, authentication, and MCP/hooks setup
- List projects with /sonarqube:sonar-list-projects
- List issues with /sonarqube:sonar-list-issues, optionally filtered by severity
- Fix a specific issue with /sonarqube:sonar-fix-issue
- Check quality gate status with /sonarqube:sonar-quality-gate
- Trigger analysis with /sonarqube:sonar-analyze
- Check test coverage with /sonarqube:sonar-coverage
- Check code duplication with /sonarqube:sonar-duplication
- Check dependency risks with /sonarqube:sonar-dependency-risks
- On supported agents, get automatic post-edit analysis via PostToolUse hooks and secrets-scanning hooks
Sources
Original description (English)
Automatically enforce SonarQube code quality and security in the agent coding loop — 7,000+ rules, secrets scanning, agentic analysis, and quality gates across 40+ languages. PostToolUse hooks run analysis after every file edit. Pre-tool secrets scanning prevents 450+ patterns from reaching the LLM. Slash commands give on-demand access to quality gate status, coverage, duplication, and dependency risks. Includes SonarQube CLI, MCP Server, skills, hooks, and slash commands.
History of sonarqube
- Plugin Added sonarqube