CLI-620 beforePromptSubmit hook for Cursor

[sophio-japharidze-sonarsource]

Add a new feature to sonar integrate cursor - scanning prompts for secrets

[hashicorp-vault-sonar-prod]

CLI-620

[netlify]

✅ Deploy Preview for sonarqube-cli canceled.

Name	Link
🔨 Latest commit	a31f8aa
🔍 Latest deploy log	https://app.netlify.com/projects/sonarqube-cli/deploys/6a29756b86e40b00083a3dfc

[netlify]

✅ Deploy Preview for sonarqube-cli canceled.

Name	Link
🔨 Latest commit	660161d
🔍 Latest deploy log	https://app.netlify.com/projects/sonarqube-cli/deploys/6a2ace3cbfd1c600083e835f

[sonarqubecloud]

Agentic Analysis: Early Results

Agentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action.

1 issue(s) found across 1 file(s):

Rule	File	Line	Message
typescript:S109	tests/integration/specs/hook/hook-cursor-prompt-submit.test.ts	168	No magic number: 0o644.

_{Analyzed by SonarQube Agentic Analysis in 2.9 s}

[gitar-bot]

CI failed: An integration test in the analyze-sqaa suite timed out during hook execution when simulating an on-premise connection. This appears to be a resource contention or cleanup issue in the test harness rather than a regression from the Cursor hook implementation.

Overview

A single integration test failure was identified in the analyze-sqaa test suite. The build failed due to a beforeEach hook timeout occurring specifically during an on-premise connection scenario, which does not appear to be directly related to the changes introduced in this PR.

Failures

Integration test hook timeout (confidence: high)

• Type: test
• Affected jobs: 80832321994
• Related to change: no
• Root cause: A beforeEach hook in tests/integration/specs/analyze/analyze-sqaa.test.ts timed out while setting up or tearing down an on-premise connection mock, indicating a potential deadlock or resource leak in the test environment.
• Suggested fix: Investigate the beforeEach hook lifecycle in analyze-sqaa.test.ts. Ensure that all mock servers and child processes associated with on-premise simulation are properly terminated. If the issue persists, consider increasing the timeout specifically for this test case or debugging the connection teardown logic.

Summary

• Change-related failures: 0
• Infrastructure/flaky failures: 1 (Integration test hook timeout)
• Recommended action: Review the analyze-sqaa.test.ts integration test suite. This failure is likely an environmental or test-harness flakiness unrelated to the beforePromptSubmit hook implementation. Re-running the CI job may resolve the issue if it is non-deterministic.

Code Review ✅ Approved 2 resolved / 2 findings

Implements the beforePromptSubmit hook for Cursor to enable secret scanning on prompts and refactors MCP configuration helpers. All previous findings regarding payload naming and feature advertising have been addressed.

✅ 2 resolved

✅ Quality: cursor command advertises SQAA/CAG it doesn't install

📄 src/cli/commands/integrate/cursor/declaration.ts:64-78
The integrate cursor command description states it "will configure the SonarQube MCP Server, install secrets scanning hooks, and configure SonarQube Agentic Analysis", and it declares a --skip-context option ("Skip the sonar-context-augmentation install/init/skill step"). However, cursorIntegration.features in src/cli/commands/integrate/cursor/declaration.ts only contains the sonar-secrets-prompt-hook and mcp-server features — there is no Context Augmentation (CAG) or SQAA feature (unlike Claude/Codex which call createContextAugmentationFeature). As a result --skip-context is a no-op and the description over-promises.

The test file comment confirms this is intentional staging ("Hook and CAG tests are added in subsequent PRs") and the command is hidden until GA, so impact is low. Consider trimming the description to mention only what is actually configured (MCP server + secrets hook) and dropping/documenting --skip-context until CAG is wired up, to avoid confusing users who run the hidden command.

✅ Bug: Verify Cursor block payload field name user_message

📄 src/cli/commands/hook/cursor-prompt-submit.ts:56-61
cursorPromptSubmit emits { "continue": false, "user_message": "Sonar detected secrets in prompt" } to block a prompt. The integration test only round-trips the CLI's own output (output.user_message), so it does not validate the field name against Cursor's actual hook contract. If Cursor expects camelCase (userMessage) rather than snake_case (user_message), the prompt would still be blocked (continue: false takes effect) but the explanatory message may not be surfaced to the user. Please verify the exact field name against Cursor's hooks schema (https://cursor.com/docs/agent/hooks) and adjust if needed.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[sonarqubecloud]

Quality Gate failed

Failed conditions
79.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud