How to add SonarQube MCP Server to Windsurf
Official SonarQube MCP server: bring code quality, security, and coverage analysis from SonarQube Server or Cloud into AI agents. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 14, 2026 · 586★ · stdio · apikey
Windsurf config for SonarQube MCP Server
docker pull sonarsource/sonarqube-mcp{
"mcpServers": {
"sonarqube-mcp-server": {
"command": "docker",
"args": [
"run",
"--init",
"--pull=always",
"-i",
"--rm",
"-e",
"SONARQUBE_TOKEN",
"-e",
"SONARQUBE_ORG",
"sonarsource/sonarqube-mcp"
],
"env": {
"SONARQUBE_TOKEN": "<your-token>",
"SONARQUBE_ORG": "<your-org>"
}
}
}
}Requires Docker to be installed and running.
Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the SonarQube MCP Server config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5SonarQube MCP Server's tools become available to Cascade.
Before you start
- Docker (or another OCI-compatible runtime such as Podman/nerdctl), or Java 21+ to run the standalone JAR
- A SonarQube Cloud or SonarQube Server account
- A SonarQube token (SONARQUBE_TOKEN); for SonarQube Server it must be a USER token
- For SonarQube Cloud: your organization key (SONARQUBE_ORG); for SonarQube Server: your server URL (SONARQUBE_URL)
What SonarQube MCP Server can do in Windsurf
analyze_code_snippetAnalyze file content with SonarQube analyzers to identify code quality and security issues; optionally filter results to a specific code snippet. Reads from a mounted workspace via filePath, or accepts full fileContent.
analyze_file_listAnalyze files in the current working directory using a running SonarQube for IDE instance (available when SonarQube for IDE integration is enabled).
toggle_automatic_analysisEnable or disable SonarQube for IDE automatic analysis of files as they are modified.
run_advanced_code_analysisRun advanced code analysis on SonarQube Cloud for a single file (requires org entitlement and a mounted workspace).
search_files_by_coverageSearch for files in a project sorted by coverage (worst first) to identify files needing test coverage improvements.
get_file_coverage_detailsGet line-by-line coverage for a file, including uncovered lines and partially covered branches.
search_dependency_risksSearch software composition analysis (SCA) issues / dependency risks for a project, application, or portfolio (SonarQube Server Enterprise with Advanced Security).
list_enterprisesList enterprises available in SonarQube Cloud that you have access to (returns enterprise IDs for use with other tools).
Security
Your SonarQube token is a sensitive credential. Avoid hardcoding tokens in command-line arguments (they are saved in shell history); prefer environment variables. Never commit tokens to version control, and use environment-variable substitution in config files. For SonarQube Server, the token must be a USER token (project or global tokens will not work). In Streamable HTTP/HTTPS mode the server is stateless and each request must carry the user's own token via an `Authorization: Bearer <token>` header; HTTPS with TLS is recommended for multi-user production deployments. The server collects anonymous usage telemetry (no source code or IP) which can be disabled with `TELEMETRY_DISABLED=true`.
SonarQube MCP Server + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the SonarQube MCP Server config there under the "mcpServers" key and restart the client.
Is SonarQube MCP Server safe to use with Windsurf?
Your SonarQube token is a sensitive credential. Avoid hardcoding tokens in command-line arguments (they are saved in shell history); prefer environment variables. Never commit tokens to version control, and use environment-variable substitution in config files. For SonarQube Server, the token must be a USER token (project or global tokens will not work). In Streamable HTTP/HTTPS mode the server is stateless and each request must carry the user's own token via an `Authorization: Bearer <token>` header; HTTPS with TLS is recommended for multi-user production deployments. The server collects anonymous usage telemetry (no source code or IP) which can be disabled with `TELEMETRY_DISABLED=true`.
Do I connect to SonarQube Cloud or SonarQube Server?
Both are supported. In stdio mode the presence of SONARQUBE_ORG determines the target: if SONARQUBE_ORG is set, SonarQube Cloud is used; otherwise SonarQube Server is used (set SONARQUBE_URL to your server URL). For SonarQube Cloud US, set SONARQUBE_URL=https://sonarqube.us.
What token do I need?
A SonarQube token via SONARQUBE_TOKEN. For SonarQube Cloud, a personal/account token plus your organization key (SONARQUBE_ORG). For SonarQube Server, the token must be a USER token (project or global tokens will not work) plus your server URL (SONARQUBE_URL).
Can I run it without Docker?
Yes. You can download a pre-built standalone JAR from the SonarSource binaries repository and run it with `java -jar` using Java 21 or later (set STORAGE_PATH plus your token/org or URL). You can also build it from source with Gradle.