MCP Directory

SonarQube MCP Server

Official SonarQube MCP server: bring code quality, security, and coverage analysis from SonarQube Server or Cloud into AI agents.

Unverified
stdio (local)
API key
Java
View repo 586 Website

Add to your client

Copy the config for your MCP client and paste it into its config file.

Install / run
docker pull sonarsource/sonarqube-mcp

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "sonarqube-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "--init",
        "--pull=always",
        "-i",
        "--rm",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "sonarsource/sonarqube-mcp"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<your-token>",
        "SONARQUBE_ORG": "<your-org>"
      }
    }
  }
}

Requires Docker to be installed and running.

Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf

Before you start

  • Docker (or another OCI-compatible runtime such as Podman/nerdctl), or Java 21+ to run the standalone JAR
  • A SonarQube Cloud or SonarQube Server account
  • A SonarQube token (SONARQUBE_TOKEN); for SonarQube Server it must be a USER token
  • For SonarQube Cloud: your organization key (SONARQUBE_ORG); for SonarQube Server: your server URL (SONARQUBE_URL)

About SonarQube MCP Server

Official SonarSource MCP server that integrates SonarQube Server or SonarQube Cloud with AI agents for code quality and security. It exposes tools to search/manage issues, review Security Hotspots, check quality gates, retrieve measures and metrics, find coverage gaps and duplications, analyze dependency risks (SCA), browse projects/branches/pull requests, and analyze code snippets or files directly in the agent context. Runs via the sonarsource/sonarqube-mcp container image (or a standalone JAR with Java 21+) and supports stdio and Streamable HTTP/HTTPS transports.

Tools & capabilities (48)

analyze_code_snippet

Analyze file content with SonarQube analyzers to identify code quality and security issues; optionally filter results to a specific code snippet. Reads from a mounted workspace via filePath, or accepts full fileContent.

analyze_file_list

Analyze files in the current working directory using a running SonarQube for IDE instance (available when SonarQube for IDE integration is enabled).

toggle_automatic_analysis

Enable or disable SonarQube for IDE automatic analysis of files as they are modified.

run_advanced_code_analysis

Run advanced code analysis on SonarQube Cloud for a single file (requires org entitlement and a mounted workspace).

search_files_by_coverage

Search for files in a project sorted by coverage (worst first) to identify files needing test coverage improvements.

get_file_coverage_details

Get line-by-line coverage for a file, including uncovered lines and partially covered branches.

search_dependency_risks

Search software composition analysis (SCA) issues / dependency risks for a project, application, or portfolio (SonarQube Server Enterprise with Advanced Security).

list_enterprises

List enterprises available in SonarQube Cloud that you have access to (returns enterprise IDs for use with other tools).

change_sonar_issue_status

Change the status of a SonarQube issue to accept, falsepositive, or reopen.

search_sonar_issues_in_projects

Search for SonarQube issues across your organization's projects, with filters for severity, software quality, status, branch, and pull request.

search_security_hotspots

Search for Security Hotspots in a project, with filters for status, resolution, files, branch, and new-code period.

show_security_hotspot

Get detailed information about a specific Security Hotspot, including rule details, code context, flows, and comments.

change_security_hotspot_status

Review a Security Hotspot by changing its status (TO_REVIEW / REVIEWED, with a resolution when reviewed).

list_languages

List all programming languages supported in the SonarQube instance.

get_component_measures

Get SonarQube measures for a component (project, directory, or file).

search_metrics

Search for SonarQube metrics (paginated).

list_portfolios

List enterprise portfolios available in SonarQube with filtering and pagination (Cloud and Server).

search_my_sonarqube_projects

Find SonarQube projects (paginated).

list_branches

List long-lived branches for a project (names safe for the branch parameter on other tools).

list_pull_requests

List all pull requests for a project; returns pull request keys/IDs usable with other tools.

get_project_quality_gate_status

Get the Quality Gate status for a SonarQube project (by branch, pull request, project key/ID, or analysis ID).

list_quality_gates

List all quality gates in your SonarQube instance.

show_rule

Show detailed information about a SonarQube rule by key.

search_duplicated_files

Search for files with code duplications in a project (auto-paginates by default).

get_duplications

Get duplications for a specific file (requires Browse permission on the file's project).

get_raw_source

Get source code as raw text from SonarQube (requires See Source Code permission).

get_scm_info

Get SCM (commit) information for SonarQube source files.

get_system_health

Get the health status (GREEN/YELLOW/RED) of a SonarQube Server instance.

get_system_info

Get detailed SonarQube Server system configuration (JVM, database, search indexes, settings); requires Administer permissions.

get_system_logs

Get SonarQube Server system logs in plain text (access, app, ce, deprecation, es, web).

ping_system

Ping the SonarQube Server system to check if it's alive (returns 'pong').

get_system_status

Get state information about SonarQube Server (status, version, id).

create_webhook

Create a new webhook for a SonarQube organization or project (requires Administer permission).

list_webhooks

List all webhooks for a SonarQube organization or project (requires Administer permission).

search_by_signature_patterns

Context Augmentation: find code elements (classes, methods, interfaces) by their declaration signatures using regex patterns.

search_by_body_patterns

Context Augmentation: find code elements by their implementation body using regex patterns.

get_upstream_call_flow

Context Augmentation: trace what functions call a given function (callers and entry points).

get_downstream_call_flow

Context Augmentation: trace what functions a given function calls (impact analysis and execution flow).

get_source_code

Context Augmentation: get complete source code (signature and body) for a code element by its fully qualified name.

get_type_hierarchy

Context Augmentation: get the full inheritance hierarchy for a class-like structure.

get_references

Context Augmentation: get direct inbound and outbound code references for a class or module.

get_current_architecture

Context Augmentation: get a hierarchical architecture graph filtered by path prefix and depth.

get_intended_architecture

Context Augmentation: get user-defined architectural constraints (allowed module dependencies).

get_guidelines

Context Augmentation: get coding guidelines based on project issues, catalog categories, or a combination.

check_dependency

Context Augmentation: check a third-party dependency (by purl) for security vulnerabilities, supply-chain malware, and license compliance.

start_agentic_readiness_assessment

Start an agentic readiness assessment for a project (SonarQube Cloud, requires org entitlement); returns an assessmentId.

get_agentic_readiness_assessment

Retrieve the result of an agentic readiness assessment by assessmentId (poll until completed).

list_agentic_readiness_assessments

List all agentic readiness assessments for a project (newest first).

What this server can do

SonarQube MCP Server provides tools for these capabilities — tap one to see every MCP server that does the same:

Manage Git repos

When to use it

  • Understand and fix a failing quality gate before merging a pull request or releasing
  • Triage and fix the highest-priority issues, code smells, and security vulnerabilities flagged by SonarQube
  • Identify files with the lowest test coverage and pinpoint exact uncovered lines to add tests
  • Review Security Hotspots and dependency risks (SCA) to prepare for a security audit
  • Analyze a code snippet or file on the fly for quality and security issues during code review
  • Generate project health reports (quality gate status, bugs, hotspots, coverage) and compare branches

Security notes

Your SonarQube token is a sensitive credential. Avoid hardcoding tokens in command-line arguments (they are saved in shell history); prefer environment variables. Never commit tokens to version control, and use environment-variable substitution in config files. For SonarQube Server, the token must be a USER token (project or global tokens will not work). In Streamable HTTP/HTTPS mode the server is stateless and each request must carry the user's own token via an `Authorization: Bearer <token>` header; HTTPS with TLS is recommended for multi-user production deployments. The server collects anonymous usage telemetry (no source code or IP) which can be disabled with `TELEMETRY_DISABLED=true`.

SonarQube MCP Server FAQ

Do I connect to SonarQube Cloud or SonarQube Server?

Both are supported. In stdio mode the presence of SONARQUBE_ORG determines the target: if SONARQUBE_ORG is set, SonarQube Cloud is used; otherwise SonarQube Server is used (set SONARQUBE_URL to your server URL). For SonarQube Cloud US, set SONARQUBE_URL=https://sonarqube.us.

What token do I need?

A SonarQube token via SONARQUBE_TOKEN. For SonarQube Cloud, a personal/account token plus your organization key (SONARQUBE_ORG). For SonarQube Server, the token must be a USER token (project or global tokens will not work) plus your server URL (SONARQUBE_URL).

Can I run it without Docker?

Yes. You can download a pre-built standalone JAR from the SonarSource binaries repository and run it with `java -jar` using Java 21 or later (set STORAGE_PATH plus your token/org or URL). You can also build it from source with Gradle.

How do I limit which tools are exposed?

Use SONARQUBE_TOOLSETS to enable only specific toolsets (e.g. analysis,issues,quality-gates; the projects toolset is always enabled). Set SONARQUBE_READ_ONLY=true to disable all write operations. In Streamable HTTP mode these can also be sent as per-request headers to further narrow scope (but not expand it).

Does it support remote/multi-user deployments?

Yes. Set SONARQUBE_TRANSPORT=http or https to enable Streamable HTTP transport; clients connect to /mcp and must send their own token via an `Authorization: Bearer <token>` header. HTTPS with TLS is recommended for multi-user production deployments.

#sonarqube#code-quality#static-analysis#security#sast#sca#code-coverage#official#docker

Alternatives to SonarQube MCP Server

Compare all alternatives →
Playwright MCP Server
Developer Tools
24k

Microsoft's official browser-automation MCP using Playwright's accessibility tree (no vision model).

Featured
Verified
stdio (local)
No auth
TypeScript
12 tools
Updated 21 days agoRepo
Context7 MCP Server
Developer Tools
28k

Up-to-date, version-specific library documentation injected into your coding agent.

Verified
stdio (local)
API key
TypeScript
2 tools
Updated 25 days agoRepo
codebase-memory-mcp
Developer Tools
16k

Code intelligence engine that indexes repos into a persistent knowledge graph for AI coding agents.

Unverified
stdio (local)
No auth
C
14 tools
Updated 11 hours agoRepo

Compare SonarQube MCP Server with:

vs Playwright MCP Servervs Context7 MCP Servervs codebase-memory-mcpvs Serena