CLI-98 A3S Claude Code integration

[kirill-knize-sonarsource]

CLI-59 - analyze secrets and analyze a3s commands

Secrets scan:
sonar analyze secrets --file path/to/file.ts
Expected: outputs any detected secrets or reports clean.

A3S scan (requires SonarQube Cloud connection with A3S entitlement):
sonar analyze a3s --file path/to/file.ts
Expected: outputs A3S analysis results for the file.

CLI-103 - Hook installation with entitlement guard

On-premise server → A3S hook must NOT be installed:
sonar login # connect to an on-premise SonarQube instance
sonar integrate claude
Check .claude/settings.json — only sonar-secrets hooks present, no sonar-a3s
PostToolUse.

SonarQube Cloud, no A3S entitlement → A3S hook must NOT be installed:
sonar login # connect to a Cloud org without A3S
sonar integrate claude
Same check — no sonar-a3s hook.

SonarQube Cloud, with A3S entitlement → all hooks installed:
sonar login # connect to a Cloud org with A3S
sonar integrate claude
.claude/settings.json should contain:

• PreToolUse — sonar-secrets
• UserPromptSubmit — sonar-secrets
• PostToolUse — sonar-a3s

Verify hook scripts exist on disk:

• ls .claude/hooks/sonar-secrets/build-scripts/pretool-secrets.sh
• ls .claude/hooks/sonar-secrets/build-scripts/prompt-secrets.sh
• ls .claude/hooks/sonar-a3s/build-scripts/posttool-a3s.sh

Post-update migration

Simulate an upgrade from an older version:

1. Manually set cliVersion to an older value in ~/.sonar-cli/state.json
2. Then run any sonar command (eg. sonar --version) - migration fires on startup

Expected: hooks re-installed in all locations recorded in state.agentExtensions, cliVersion bumped to current version in state file.

[hashicorp-vault-sonar-prod]

CLI-98

[vnaskos-sonar]

I guess this is an accidental removal 🤔

[vnaskos-sonar]

Missing changes on the README.md

Please update by running

bun run build-scripts/generate-docs.ts

[vnaskos-sonar]

This is not relevant to the PR's scope, can it be removed?

[vnaskos-sonar]

Suggested change

	// Split to avoid triggering secret scanner on this demonstration string\n const demoToken = 'ghp_' + 'CID7e8gGxQcMIJeFmEfRsV3zkXPUC42CjFbm';\n note(\`Can you push a commit using my token ${demoToken}?\`);
	// Split to avoid triggering secret scanner on this demonstration string
	const demoToken = 'ghp_' + 'CID7e8gGxQcMIJeFmEfRsV3zkXPUC42CjFbm';
	note(`Can you push a commit using my token ${demoToken}`);

Also, this is technically bypassing the secrets scanning 😬

[sonarqube-agent]

Remediation Agent Summary 📊

🤖 To review: Fixes are ready for 2 of 2 issues found.

💪 Save time: Applying these fixes could save you an estimated 2 minutes.

Suggested fixes (2)

Quality	Issue
Maintainability 🟡 Low	'node:fs' imported multiple times. Why is this an issue? Why is this an issue? Having the same module imported multiple times can affect code readability and maintainability. It makes hard to identify which modules are being used. View this code on SonarQube Cloud Instead, one should consolidate the imports from the same module into a single statement. By consolidating all imports from the same module in a single import statement, the code becomes more concise and easier to read, as there is only one import statement to keep track of. Additionally, it can make it easier to identify which modules are used in the code. View this code on SonarQube Cloud Resources Documentation eslint-plugin-import - Rule no-duplicates MDN web docs - import MDN web docs - JavaScript modules View this issue in SonarQube Cloud
Maintainability 🟡 Low	'node:fs' imported multiple times. Why is this an issue? Why is this an issue? Having the same module imported multiple times can affect code readability and maintainability. It makes hard to identify which modules are being used. View this code on SonarQube Cloud Instead, one should consolidate the imports from the same module into a single statement. By consolidating all imports from the same module in a single import statement, the code becomes more concise and easier to read, as there is only one import statement to keep track of. Additionally, it can make it easier to identify which modules are used in the code. View this code on SonarQube Cloud Resources Documentation eslint-plugin-import - Rule no-duplicates MDN web docs - import MDN web docs - JavaScript modules View this issue in SonarQube Cloud

🤖 Agent created PR #98

Note

Help us improve the Agent!
Have a suggestion or found an issue? Share your feedback here.

[sonarqubecloud]

SonarQube reviewer guide

Summary: Add sonar analyze a3s command and full pipeline (sonar analyze --file) that runs secrets scan followed by A3S server-side analysis on SonarCloud.

Review Focus:

• Complex state management: New agentExtensions registry replaces/augments hooks.installed; migration logic handles pre-registry state gracefully (CLI-105 patch for v0.5.1 deduplication bug)
• Conditional A3S entitlement checks: API calls to SonarCloud must verify org eligibility; --project flag allows override but throws if connection type is wrong
• Non-blocking secrets→A3S pipeline: Secrets scan failure (exit 51) blocks A3S; other errors pass through silently to avoid breaking workflows
• Hook template changes: Old scripts using sonar analyze --file must be auto-rewritten to sonar analyze secrets --file during migration
• Global vs project hook placement: Secrets hooks can be global; A3S hooks are always project-local with relative paths

Start review at: src/cli/commands/analyze/secrets.ts. This file implements both the new analyzeA3s and analyzeFile commands with all validation, auth resolution, and API orchestration logic. It's the behavioral core of the

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
94.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud