TLDR Overview
- The Claude Code plugin for SonarQube, available today in the Anthropic marketplace, integrates SonarQube’s security and code quality analysis directly into the Claude Code terminal environment for real-time verification.
- The plugin utilizes agentic analysis and MCP servers to scan for code smells and vulnerabilities, and blocks over 450 secret patterns before content enters the LLM context.
- Developers use slash commands to check quality gate status, assess dependency risks, and review code coverage without switching to a browser.
- This integration supports the Agent Centric Development Cycle (AC/DC), reducing reported AI-related outages by 44% through deterministic, inner-loop code verification.
- With Anthropic’s announcement earlier today of Opus 4.7, this plugin arrives at the perfect time to enable developers to use SonarQube’s code verification capabilities alongside the new model.
What is the SonarQube plugin for Claude Code?
SonarQube’s Claude Code plugin packages skills, agents, hooks, and our MCP server to provide Claude with everything it needs in order to access SonarQube’s capabilities: the SonarQube CLI, SonarQube MCP Server, hooks for SonarQube Agentic Analysis, and secrets scanning. Once installed, Claude Code gains access to SonarQube’s code quality and security analysis without ever leaving the terminal. This means full language and rule coverage—code smells, duplication, complexity, and SAST across 40+ languages—governed by your existing quality profiles and gates. The Claude Code plugin is available today in the Anthropic marketplace, ready for use alongside today’s drop of Anthropic’s Opus 4.7 model.
How the plugin works
Slash commands let you query your SonarQube instance in real time, and allow you to check quality gate status, list open issues, review code coverage and duplication, assess dependency risks. Moreover, every file Claude reads and every prompt you enter is automatically scanned for over 450 secret patterns before the content enters the LLM's context window.
And for organizations with SonarQube Agentic Analysis enabled (in beta now for codebases in C#, Java, JavaScript, Python, and TypeScript), PostToolUse hooks run analysis after each file edit, catching issues as they're introduced. The result is that the “Verify” step of AC/DC is embedded directly after the “Generate” step. The feedback loop that used to require a CI pipeline and a context switch now happens in seconds within the inner loop of the agent, right where the software developer is working.
Why you should care
The way code gets written has changed more in the last six months than it did in the previous decade. But velocity without code verification is just technical debt on a faster timeline: Carnegie Mellon researchers studied a widely-used AI coding tool and found that it produced a persistent 30% increase in static code analysis warnings and a 41% rise in code complexity. Every engineering team now faces the same paradox: you need agentic speed to stay competitive, but you need rigorous code verification to stay safe. The Claude Code plugin is how Sonar solves this.
It's built around what we call the Agent Centric Development Cycle (AC/DC): Guide, Generate, Verify, and Solve. AC/DC is a framework for governing how AI agents write, check, and fix code in a continuous loop. The core insight is that because AI is non-deterministic, code verification has to be deterministic—and it has to happen inside the agent loop, not after the fact in CI.
Today's release of Claude Opus 4.7 sharpens the point. Anthropic's newest generally available model is purpose-built for harder, longer-running coding tasks, and it tries to verify its own outputs before completing its work. But that self-checking instinct is still non-deterministic: the model decides what to check and how. SonarQube provides verification that is deterministic and comprehensive, with full rule coverage using your defined quality gate, every time. The two approaches are complementary: Opus 4.7 raises the ceiling on what an agent can build and catch in a single session, and SonarQube ensures nothing ships that shouldn't.
The SonarQube plugin for Claude Code allows you to extend a platform your organization already trusts into the environment where code is increasingly being written, and developers who verify their code with SonarQube are 44% less likely to report experiencing outages due to AI code.
Get started now
The plugin is available today on the Anthropic Plugin Marketplace. In Claude Code, run /plugin to open the plugin browser. Find sonarqube (under claude-plugins-official) in the Discover tab and install it. Then start a new session or reload so the plugin loads.
Run /sonarqube:integrate to walk through setup—CLI installation, authentication, and wiring up the MCP Server and hooks. Within minutes, every Claude Code session benefits from automated verification by SonarQube.
SonarQube is already a trusted AI governance tool for coding. The Claude Code plugin brings these strengths directly into the developer's agentic workflow. Try it on your next project: write code with Claude, and let SonarQube make sure it's code you can trust.
