AI coding agents are generating an increasing share of production code. The ideal agent loop generates, checks, and fixes at machine speed, producing and modifying code across entire codebases faster than any manual workflow, but that is not the case. Volume is no longer the constraint—trust is. Without code verification that keeps pace, every gain in velocity surfaces later as security risk, governance gaps, and rework.Verify is mandatory, not optional, because skipping it allows AI-generated flaws to enter your codebase, leading to outages and security breaches.
For years, Sonar has been the standard for code quality and security in CI/CD. SonarQube CLI extends that standard into every environment where agents operate: terminals, CI pipelines, git hooks, and AI coding agents. One install. One authentication step. The most important SonarQube capabilities—secrets detection, code quality and security analysis, dependency risk scanning—are now available through a single command line tool, at the speed agents require.
The CLI is purpose-built for multilayered code verification in the agentic era. Secrets scanning, multifile quality and security analysis, dependency risk detection, issue querying, and AI agent integration all run through a single binary that connects to your existing SonarQube Cloud or SonarQube Server deployment.
Today, SonarQube CLI is generally available.
Why CLIs are critical in the agentic era
Command-line tools are the natural interface for automation: scripts, pipelines and git hooks all run through the terminal. As AI agents have taken on more of the coding work, CLIs have become even more central: they are the interface agents use to plan, execute, and verify work programmatically. Agents need structured, scriptable access to third-party software capabilities. A CLI is the most direct way to provide it.
SonarQube CLI brings SonarQube into that agent loop. Agents call it to guide them when generating code, verify files for issues, scan for secrets, check dependencies, and query a project state. JSON output is available across all commands. TOON (token-oriented object notation), is optimized for LLM consumption, so agents can parse and act on findings without any post-processing. Authentication uses the OS keychain, so tokens are never stored in plain files and every subsequent command reuses the stored credential automatically.
The Agent Centric Development Cycle
Sonar's Agent Centric Development Cycle (AC/DC) is a framework for the new architecture of software delivery. Agents generate code continuously. The people directing them set standards, review outputs, and direct the next task. Code verification runs between every step.
AC/DC defines three pillars:
- Guide primes agents with the architectural context they need before a task begins: codebase structure, intended architecture, coding guidelines, and component dependencies, so agents generate code that fits the existing system rather than working against it.
- Verify runs deterministic code analysis on what the agent produces: secrets, code quality, security, and dependency risk checked independently of the model that generated the code.
- Solve closes the loop by resolving findings: transitioning issues, applying AI-assisted fixes, and keeping the codebase in a known good state.
SonarQube CLI is the interface that connects all three pillars from the terminal.
For AC/DC to work, verification has to be as fast and as automatic as generation. It has to live where agents live: in the terminal, in the hook, in the orchestration layer.
SonarQube CLI is how that standard travels into the agentic workflow. Once integrated, when an agent reads a file, SonarQube scans it. When an agent proposes a change, SonarQube evaluates it. When an agent queries what is wrong with the codebase, SonarQube answers. The CLI is configured once, and the output of the commands makes the agent iterate.
Multilayered verification for agentic workflows
Reliable verification at the agentic scale requires multiple independent checks, not a single gate. No single analysis catches everything. SonarQube CLI brings Sonar's multilayered code verification into the agentic loop: secrets detection, code quality and security analysis, and dependency risk scanning all run as composable steps that agents can call individually or chain together.
Each layer uses a different methodology:
- The secrets engine catches hardcoded credentials, API keys, and tokens before a file ever enters an agent's context window, covering 450+ patterns across 248 cloud services.
- For teams on SonarQube Server, the CLI automatically downloads and applies any custom secret rule templates defined in the server, refreshing on every run, so org-specific detection rules propagate to every agent environment without extra configuration.
- SonarQube Agentic Analysis evaluates code quality and security on changed files using SonarQube's server-side rules (SonarQube Cloud currently, planned for inclusion in SonarQube Server).
- Dependency risk analysis checks manifests against SonarQube's vulnerability database.
In this case, the verification layer is [crucially] independent of the model that generated the code. Agents should not check their own output. Trusting AI to review AI is not sufficient, non-deterministic systems cannot reliably audit themselves. SonarQube CLI is an external, deterministic system with clear segregation of duties: same input, same output, every time, connected to your organization's existing quality authority. Sub-100ms latency per file means hooks are invisible in the agent's execution loop, so code verification keeps pace with generation and never slows the agent down. A false positive rate below 5% means agents are interrupted only when there is a genuine finding.
What can agents do with SonarQube CLI?
The analysis and querying commands in SonarQube CLI are designed to be called programmatically: from hooks, pipelines, and agent workflows. The workflow follows a natural lifecycle—discover, act, verify, resolve.
Discover: Understand the codebase before starting
sonar list projects finds any accessible SonarQube project by name or key, giving agents a starting point in multi-project organizations. sonar list issues --format toon delivers a structured briefing on open issues, severity distribution, and PR-specific findings in a format optimized for LLM ingestion. Agents start every task knowing where the codebase stands.
Act: Block risks as they arise
Once integrated via sonar integrate claude or sonar integrate copilot, secrets scanning hooks fire automatically inside the agent's execution loop—before a file is read or written, and before a prompt is submitted—using the sonar-secrets engine. Agents can also call sonar analyze secrets directly on any file, directory, or stdin at any point, independently of the hooks. Piping generated content through sonar analyze secrets --stdin before writing it to disk catches secrets before they ever touch the filesystem.
sonar analyze dependency-risks -p <project> surfaces vulnerable, malicious, and license-violating packages before they land in generated code. Both operate independently of any AI model: no model judgment, same input produces the same output every time.
Verify: Evaluate output before proposing a change
sonar analyze runs secrets scanning and server-side SonarQube Agentic Analysis on uncommitted work. sonar analyze agentic --staged scopes analysis to staged changes only, making it a natural pre-commit step. For deep analysis of a specific file, sonar analyze agentic runs server-side SonarQube Agentic Analysis and returns detailed quality and security findings the agent can act on immediately.
Resolve: Act on findings without human intervention
sonar remediate triggers AI-assisted remediation for eligible issues directly from the terminal. Pass up to 20 issue keys via --issues for non-interactive use in agent pipelines, or run it interactively to select issues. This is available in SonarQube Cloud currently, and planned for SonarQube Server.
Automate beyond the built-in commands
sonar api gives agents authenticated access to any SonarQube Web API endpoint for everything else: transitioning issue status, accepting or resolving findings, and adding comments programmatically.
Dependency risk analysis
Agents pull dependencies. They do not know your approved list, your security policy, or whether a package was flagged for malware last week. The gap is not disclosure; it is workflow.
sonar analyze dependency-risks runs at the terminal, or wired into any agent hook or CI gate, and returns findings with CVE IDs, CVSS scores, affected version ranges, and fix recommendations. Available on SonarQube Cloud and SonarQube Server 2026.4+ with SonarQube Advanced Security and SCA enabled.
$ sonar analyze dependency-risks -p my-project --format table
[VULN] lodash@4.17.20 · CVE-2021-23337 · CVSS 7.2 · Fix: upgrade to 4.17.21
[VULN] axios@0.21.1 · CVE-2021-3749 · CVSS 7.5 · Fix: upgrade to 0.21.2
[OK] react@18.2.0 · No known vulnerabilities
Exit code: 51Sonar Context Augmentation
Agents are stateless about the codebase they are working in. They do not know how the architecture is structured, what the team's coding guidelines are, or how the components they are about to modify relate to the rest of the system. Without that understanding, agents generate code that may be functionally correct but architecturally inconsistent—introducing patterns that conflict with existing conventions, creating unintended coupling between components, or duplicating logic that already exists elsewhere.
Sonar Context Augmentation addresses this at the source. Before a coding session begins, it navigates the codebase architecture, builds a graph of component relationships and dependencies, and surfaces the team's coding guidelines, injecting all of it directly into the agent's context window. The agent starts the task with a working understanding of the system it is operating in, not just the file it has been handed. The SonarQube CLI surfaces Sonar Context Augmentation through sonar context, which passes commands through to the context augmentation engine.
# Get coding guidelines before a session
sonar context guidelines get --categories "error-handling,security"
# Explore the architecture of a module
sonar context architecture get-current --ecosystem java
# Find code by declaration pattern
sonar context navigation search-signatures --pattern ".*Repository" --limit 5Agent hooks
sonar integrate claude installs three hooks into Claude Code's settings: a PreToolUse hook that scans files for secrets before the agent reads them, a UserPromptSubmit hook that scans prompts for secrets before they reach the LLM provider, and a PostToolUse hook that runs SonarQube Agentic Analysis after the agent edits or writes a file. sonar integrate copilot installs a PreToolUse hook for secrets scanning and configures SonarQube Agentic Analysis and MCP through Copilot’s instructions and configuration system.
Both use the sonar-secrets binary, a deterministic engine external to the model, and return a block signal on detection. This is independent code verification: not the agent checking its own work, but a separate system with its own methodology, running every time, on every file, with a completely auditable record of every finding.
Median time to remediate a leaked secret discovered in a public repository: 94 days (Verizon 2025 DBIR). The secrets hooks prevent the leak before the clock starts.
Get started with SonarQube CLI
The setup is a one-time task. After that, agents operate within the verification layer automatically.
# Install (Linux/macOS)
curl -o- https://raw.githubusercontent.com/SonarSource/sonarqube-cli/refs/heads/master/user-scripts/install.sh | bash
# Install (Windows PowerShell)
irm https://raw.githubusercontent.com/SonarSource/sonarqube-cli/refs/heads/master/user-scripts/install.ps1 | iex
# Authenticate once—token stored in OS keychain, never in plain files
sonar auth login
# Wire agents into the verification loop
sonar integrate claude -p <project> # Claude Code: secrets hooks + Agentic Analysis + MCP + Context Augmentation
sonar integrate claude -g # Or deploy globally across all projects
sonar integrate copilot # GitHub Copilot: secrets hooks + Agentic Analysis + MCP + Context Augmentation
sonar integrate git --hook pre-commit # Block secrets at every commit
sonar integrate git --global # Or deploy the hook across all repositories
# Agents call these continuously
sonar analyze agentic --file <path> # Inner-loop quality gate
sonar analyze dependency-risks -p <project> # Check dependencies for risks
sonar list projects # Discover accessible projects
sonar list issues -p <project> --format toon # Brief the agent before a task
sonar context guidelines get # Prime the agent with coding guidelines
# Keep the CLI current
sonar self-update # No package manager requiredFull documentation and command reference: https://www.sonarsource.com/sonarqube/cli/
