Skip to content

1.1.0.3122

Choose a tag to compare

@kirill-knize-sonarsource kirill-knize-sonarsource released this 22 Jun 15:04
Immutable release. Only release title and notes can be modified.
7f2f145

SonarQube CLI v1.1.0

SonarQube CLI 1.1 adds native CLI integration with Antigravity (ex Gemini CLI) and Cursor, brings dependency risk scanning into the git pre-commit hook, and ships several security fixes.

Features

  • sonar integrate antigravity — Antigravity support: Integrates SonarQube into Antigravity (Google's successor to Gemini CLI) by installing secrets hooks, Agentic Analysis instructions, and the SonarQube MCP server. Supports both project and global scope.
  • sonar integrate Cursor — Cursor support: Integrates SonarQube into Cursor by installingbeforeReadFile and preToolUse hooks to intercept file reads for secret scanning, including a fix for Windows. Added a custom rule to run Agentic Analysis on file edited by agents.
  • Dependency risks in git pre-commit hook: sonar integrate git --dependency-risks adds an optional SCA scan to the pre-commit hook alongside secrets scanning. It aborts the commit if manifest files contain secrets before running SCA.
  • Severity filter for dependency risks: sonar analyze dependency-risks accepts a --severities flag to filter results to specific risk severities.
  • Automatic project discovery in pre-commit hook: The pre-commit hook now auto-discovers the SonarQube project key from Git remotes, removing the need to configure it manually.
  • SQAA multi-file analysis: Agentic Analysis now sends change sets as chunked multi-file requests for more efficient and accurate analysis.
  • Old SonarQube Server severities: The CLI now correctly handles and displays severity values from older SonarQube Server versions.
  • Documentation moved to sonarsource.com: cli.sonarqube.com now redirects to the official docs at sonarsource.com/sonarqube/cli.

Bug Fixes

  • [Security] Bearer token leak via HTTP redirect: The CLI no longer forwards Authorization headers when following HTTP redirects to a different host, preventing token exfiltration.
  • [Security] PostToolUse hook path traversal: The PostToolUse hook now restricts file reads to within the project directory, preventing access to files outside the project scope.
  • OAuth callback on IPv6: Fixed an OAuth callback failure when the loopback address resolves to an IPv6 address.
  • TAR extractor long filename handling: Fixed a POSIX compliance issue in the TAR parser where filenames longer than 100 characters were incorrectly parsed.