SonarQube MCP Server

Official SonarSource MCP server that connects AI agents to SonarQube Server or Cloud for code quality analysis, security scanning, and issue management.

Developer Tools by SonarSource API Key active

GitHub Docs

Overview

The SonarQube MCP Server is the official Model Context Protocol integration maintained by SonarSource. It bridges AI coding agents with SonarQube Server or SonarQube Cloud so they can analyze code snippets, search and triage issues, review security hotspots, inspect quality gate status, and explore project metrics directly from the agent context.

Beyond the standard code-quality workflows, the server includes Context Augmentation tools that let agents trace upstream and downstream call flows, navigate type hierarchies, and search by code signature patterns. It also exposes dependency risk scanning (SCA) for enterprise deployments, pull request analysis, webhook management, and coverage and duplication insights. Analysis works across 20+ languages supported by SonarQube.

The server is distributed as an official Docker image (mcp/sonarqube) and supports stdio, HTTP, and HTTPS transports. It works with Claude Desktop, Claude Code, Cursor, VS Code with GitHub Copilot, Codex CLI, Gemini CLI, Windsurf, Kiro, Zed, and other MCP-compatible clients. It is published under the SONAR Source-Available License v1.0.

Tools

Tool	Description
`analyze_code_snippet`	Analyzes a code snippet for quality and security issues using SonarQube rules.
`run_advanced_code_analysis`	Runs advanced SonarQube Cloud analysis (requires organization entitlement).
`analyze_file_list`	Analyzes a list of files using SonarQube for IDE integration.
`search_sonar_issues_in_projects`	Searches issues across projects with filters (severity, type, assignee, etc.).
`change_sonar_issue_status`	Updates an issue's status: accept, falsepositive, or reopen.
`get_project_quality_gate_status`	Returns the quality gate compliance status for a project.
`search_security_hotspots`	Locates security hotspots in a project.
`show_security_hotspot`	Returns detailed information for a specific security hotspot.
`change_security_hotspot_status`	Updates the review status of a security hotspot.
`search_dependency_risks`	SCA vulnerability analysis (Server 2025.4+ Enterprise).
`search_files_by_coverage`	Finds files below a coverage threshold.
`get_file_coverage_details`	Returns line-by-line coverage data for a file.
`get_component_measures`	Retrieves metrics for a project or component.
`search_duplicated_files`	Finds duplicated code blocks across files.
`search_my_sonarqube_projects`	Lists SonarQube projects accessible to the authenticated user.
`list_pull_requests`	Lists pull requests analyzed for a project.
`list_quality_gates`	Lists available quality gate configurations.
`show_rule`	Displays the definition and details of a SonarQube rule.
`search_by_signature_patterns`	Context Augmentation: finds code elements matching regex signatures.
`get_upstream_call_flow`	Context Augmentation: traces functions that call a given symbol.
`get_downstream_call_flow`	Context Augmentation: traces functions called by a given symbol.
`get_type_hierarchy`	Context Augmentation: returns the inheritance hierarchy of a type.
`list_languages`	Lists programming languages supported for analysis.
`get_raw_source`	Returns the raw source code for a file in SonarQube.
`get_scm_info`	Returns SCM blame/metadata for a file.
`create_webhook`	Creates a webhook for project events.
`list_webhooks`	Lists configured webhooks.
`list_portfolios`	Lists portfolios available to the user.
`list_enterprises`	Lists enterprises available to the user.

Setup Guide

Prerequisites

Docker installed locally
A SonarQube Cloud account, or a SonarQube Server instance (Community, Developer, Enterprise, or Data Center Edition)
A SonarQube user token. For Server, a user-type token is required (project/global tokens are not supported)
For Cloud: your organization key
For Server: the URL of your SonarQube instance

Quickest setup

SonarSource provides an interactive config generator at https://mcp.sonarqube.com/config-generator.html that produces the exact JSON block for your client and deployment.

Claude Desktop / Claude Code (SonarQube Cloud)

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run", "--init", "--pull=always", "-i", "--rm",
        "-e", "SONARQUBE_TOKEN",
        "-e", "SONARQUBE_ORG",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<YOUR_TOKEN>",
        "SONARQUBE_ORG": "<YOUR_ORG_KEY>"
      }
    }
  }
}

SonarQube Server

{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run", "--init", "--pull=always", "-i", "--rm",
        "-e", "SONARQUBE_TOKEN",
        "-e", "SONARQUBE_URL",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<USER_TOKEN>",
        "SONARQUBE_URL": "https://sonarqube.example.com"
      }
    }
  }
}

Environment variables

Variable	Purpose
`SONARQUBE_TOKEN`	Authentication token (required)
`SONARQUBE_ORG`	Cloud organization key (Cloud only)
`SONARQUBE_URL`	Server URL (Server only)
`SONARQUBE_PROJECT_KEY`	Optional default project
`SONARQUBE_TOOLSETS`	Comma-separated subset of toolsets to enable
`SONARQUBE_READ_ONLY`	Set to `true` to disable mutating tools
`SONARQUBE_IDE_PORT`	Port for IDE integration mode

Optional: mount your workspace

Reduce context overhead by letting the server read files directly from disk:

-v /path/to/project:/app/mcp-workspace

Cursor and VS Code with GitHub Copilot are also supported via the one-click install badges in the official README.

Use Cases

Have the agent run analyze_code_snippet on a function before opening a PR and apply fixes for any issues SonarQube reports
Triage the backlog: search open issues in a project, mark false positives, and reopen incorrectly closed ones with search_sonar_issues_in_projects and change_sonar_issue_status
Review and resolve security hotspots during code review using search_security_hotspots, show_security_hotspot, and change_security_hotspot_status
Gate releases by checking get_project_quality_gate_status and surfacing failing metrics from get_component_measures to the team
Audit dependency risks (SCA) on enterprise projects with search_dependency_risks and trace impact using the call-flow and type-hierarchy tools

Example Prompts

"Analyze the file src/auth/login.ts for security issues using SonarQube and fix any blocker or critical findings."
"List all open issues in the payments-api project assigned to me, sorted by severity."
"Show open security hotspots in frontend-web and mark the false positives with a justification."
"Has the checkout-service project passed its quality gate on the latest analysis? If not, tell me which conditions failed."
"Find all files in inventory-service with code coverage below 70% and propose unit tests for the riskiest ones."

Pros

Official, maintained by SonarSource with first-party support for both SonarQube Server and SonarQube Cloud
Broad tool coverage: analysis, issues, hotspots, quality gates, coverage, duplication, webhooks, portfolios, and SCA dependency risks
Context Augmentation tools (call flow, type hierarchy, signature search) help agents reason about architecture, not just findings
Distributed as an official Docker image with stdio, HTTP, and HTTPS transports and a web-based config generator

Limitations

Some tools require paid tiers: advanced analysis needs SonarQube Cloud entitlement, and search_dependency_risks requires SonarQube Server 2025.4+ Enterprise
Requires Docker and a SonarQube account or self-hosted instance; no zero-install remote endpoint
Distributed under the SONAR Source-Available License v1.0 rather than a standard OSI license, which restricts competitive use

Alternatives

sapientpants/sonarqube-mcp-server: community Node.js MCP server for SonarQube
Snyk MCP server: security and SCA scanning from an alternative vendor
Semgrep MCP server: static analysis and custom rules as an alternative SAST option