Labsco
SonarSource logo

SonarQube

β˜… 588

from SonarSource

Provides seamless integration with SonarQube Server or Cloud, and enables analysis of code snippets directly within the agent context

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredAdvanced setup

SonarQube MCP Server

Build Quality Gate Status

The SonarQube MCP Server is a Model Context Protocol (MCP) server that enables seamless integration with SonarQube Server or Cloud for code quality and security. It also supports the analysis of code snippet directly within the agent context.

Integration with SonarQube for IDE

The SonarQube MCP Server can integrate with SonarQube for IDE to further enhance your development workflow, providing better code analysis and insights directly within your IDE.

<details> <summary>Configuration</summary>

When using SonarQube for IDE, the SONARQUBE_IDE_PORT environment variable should be set with the correct port number. SonarQube for VS Code includes a Quick Install button, which automatically sets the correct port configuration.

For example, with SonarQube Cloud:

Copy & paste β€” that's it
{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "--init",
      "--pull=always",
      "-i",
      "--rm",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_ORG",
      "-e",
      "SONARQUBE_IDE_PORT",
      "sonarsource/sonarqube-mcp"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>",
      "SONARQUBE_IDE_PORT": "<64120-64130>"
    }
  }
}

When running the MCP server in a container on Linux, the container cannot access the SonarQube for IDE embedded server running on localhost. To allow the container to connect to the SonarQube for IDE server, add the --network=host option to your container run command.

</details>

Tools

Analysis

  • analyze_code_snippet - Analyze file content with SonarQube analyzers to identify code quality and security issues. Always analyzes the complete file content for accuracy. Optionally filter results to a specific code snippet.

    Usage:

    • With workspace mounted (recommended): pass filePath (project-relative) β€” the server reads the file directly, keeping file content out of the agent context window
    • Without workspace mount: pass complete fileContent for full file analysis (reports all issues)
    • Add optional codeSnippet to filter results - only issues within the snippet will be reported (snippet location auto-detected)

    Parameters:

    • projectKey - The SonarQube project key - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • filePath - Project-relative path of the file to analyze (e.g., src/main/java/MyClass.java). Used when the workspace is mounted at /app/mcp-workspace - String
    • fileContent - Complete file content as a string. Required when workspace is not mounted - String
    • codeSnippet - Code snippet to filter issues (must match content in fileContent) - String
    • language - Language of the code (e.g., 'java', 'python', 'js', 'ts', 'tsx', 'jsx') - String
    • scope - Scope of the file: MAIN or TEST (default: MAIN) - String

    Supported Languages: Java, Kotlin, Python, Ruby, Go, JavaScript (js, jsx), TypeScript (ts, tsx), JSP, PHP, XML, HTML, CSS, CloudFormation, Kubernetes, Terraform, Azure Resource Manager, Ansible, Docker, Secrets detection

When integration with SonarQube for IDE is enabled:

  • analyze_file_list - Analyze files in the current working directory using SonarQube for IDE. This tool connects to a running SonarQube for IDE instance to perform code quality analysis on a list of files.

    • file_absolute_paths - List of absolute file paths to analyze - Required String[]
  • toggle_automatic_analysis - Enable or disable SonarQube for IDE automatic analysis. When enabled, SonarQube for IDE will automatically analyze files as they are modified in the working directory. When disabled, automatic analysis is turned off.

    • enabled - Enable or disable the automatic analysis - Required Boolean

When advanced analysis is enabled for your SonarQube Cloud organization:

Requires having the workspace mounted at /app/mcp-workspace

  • run_advanced_code_analysis - Run advanced code analysis on SonarQube Cloud for a single file. Organization is inferred from MCP configuration.
    • projectKey - The key of the project - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • branchName - Branch name used to retrieve the latest analysis context - Required String
    • filePath - Project-relative path of the file to analyze (e.g., src/main/java/MyClass.java). - Required String
    • fileScope - Defines in which scope the file originates from: 'MAIN' or 'TEST' (default: MAIN) - String

Coverage

  • search_files_by_coverage - Search for files in a project sorted by coverage (ascending - worst coverage first). This tool helps identify files that need test coverage improvements.

    • projectKey - The project key to search in - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
    • maxCoverage - Maximum coverage threshold (0-100). Only return files with coverage <= this value - Number
    • pageIndex - Page index (1-based, default: 1) - Number
    • pageSize - Page size (default: 100, max: 500) - Number
  • get_file_coverage_details - Get line-by-line coverage information for a specific file, including which exact lines are uncovered and which have partially covered branches. This tool helps identify precisely where to add test coverage. Use after identifying files with low coverage via search_files_by_coverage.

    • key - File key (e.g. my_project:src/foo/Bar.java) - Required String
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
    • from - First line to analyze (1-based, default: 1) - Number
    • to - Last line to analyze (inclusive). If not specified, all lines are returned - Number

Dependency Risks

Note: Dependency risks are only available when connecting to SonarQube Server 2025.4 Enterprise or higher with SonarQube Advanced Security enabled.

  • search_dependency_risks - Search for software composition analysis issues (dependency risks) of a SonarQube project, paired with releases that appear in the analyzed project, application, or portfolio.
    • projectKey - Project key - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
    • pageIndex - Optional page index (1-based, default: 1) - Integer
    • pageSize - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer

Enterprises

Note: Enterprises are only available when connecting to SonarQube Cloud.

  • list_enterprises - List the enterprises available in SonarQube Cloud that you have access to. Use this tool to discover enterprise IDs that can be used with other tools.
    • enterpriseKey - Optional enterprise key to filter results - String

Issues

  • change_sonar_issue_status - Change the status of a SonarQube issue to "accept", "falsepositive" or to "reopen" an issue.

    • key - Issue key - Required String
    • status - New issue's status - Required Enum {"accept", "falsepositive", "reopen"}
  • search_sonar_issues_in_projects - Search for SonarQube issues in my organization's projects.

    • projects - Optional list of Sonar projects - String[]
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
    • severities - Optional list of severities to filter by. Possible values: INFO, LOW, MEDIUM, HIGH, BLOCKER - String[]
    • impactSoftwareQualities - Optional list of software qualities to filter by. Possible values: MAINTAINABILITY, RELIABILITY, SECURITY - String[]
    • issueStatuses - Optional list of issue statuses to filter by. Possible values: OPEN, CONFIRMED, FALSE_POSITIVE, ACCEPTED, FIXED, IN_SANDBOX - String[]
    • issueKey - Optional issue key to fetch a specific issue - String
    • p - Optional page number (default: 1) - Integer
    • ps - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer

Security Hotspots

  • search_security_hotspots - Search for Security Hotspots in a SonarQube project.

    • projectKey - Project or application key - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • hotspotKeys - Comma-separated list of specific Security Hotspot keys to retrieve - String[]
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
    • files - Optional list of file paths to filter - String[]
    • status - Optional status filter: TO_REVIEW, REVIEWED - String
    • resolution - Optional resolution filter: FIXED, SAFE, ACKNOWLEDGED - String
    • sinceLeakPeriod - Filter hotspots created since the leak period (new code) - Boolean
    • onlyMine - Show only hotspots assigned to me - Boolean
    • p - Optional page number (default: 1) - Integer
    • ps - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer
  • show_security_hotspot - Get detailed information about a specific Security Hotspot, including rule details, code context, flows, and comments.

    • hotspotKey - Security Hotspot key - Required String
  • change_security_hotspot_status - Review a Security Hotspot by changing its status. When marking as REVIEWED, you must specify a resolution (FIXED, SAFE, or ACKNOWLEDGED).

    • hotspotKey - Security Hotspot key - Required String
    • status - New status - Required Enum {"TO_REVIEW", "REVIEWED"}
    • resolution - Resolution when status is REVIEWED - Enum {"FIXED", "SAFE", "ACKNOWLEDGED"}
    • comment - Optional review comment - String

Languages

  • list_languages - List all programming languages supported in this SonarQube instance.
    • q - Optional pattern to match language keys/names against - String

Measures

  • get_component_measures - Get SonarQube measures for a component (project, directory, file).
    • projectKey - The project key - Required String when SONARQUBE_PROJECT_KEY is not configured
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • metricKeys - Optional metric keys to retrieve (e.g. ncloc, complexity, violations, coverage) - String[]
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String

Metrics

  • search_metrics - Search for SonarQube metrics.
    • p - Optional page number (default: 1) - Integer
    • ps - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer

Portfolios

  • list_portfolios - List enterprise portfolios available in SonarQube with filtering and pagination options.

    For SonarQube Server:

    • q - Optional search query to filter portfolios by name or key - String
    • favorite - If true, only returns favorite portfolios - Boolean
    • pageIndex - Optional 1-based page number (default: 1) - Integer
    • pageSize - Optional page size, max 500 (default: 100) - Integer

    For SonarQube Cloud:

    • enterpriseId - Enterprise uuid. Can be omitted only if 'favorite' parameter is supplied with value true - String
    • q - Optional search query to filter portfolios by name - String
    • favorite - Required to be true if 'enterpriseId' parameter is omitted. If true, only returns portfolios favorited by the logged-in user. Cannot be true when 'draft' is true - Boolean
    • draft - If true, only returns drafts created by the logged-in user. Cannot be true when 'favorite' is true - Boolean
    • pageIndex - Optional index of the page to fetch (default: 1) - Integer
    • pageSize - Optional size of the page to fetch (default: 50) - Integer

Projects

  • search_my_sonarqube_projects - Find SonarQube projects. The response is paginated.

    • page - Optional page number - String
  • list_branches - List long-lived branches for a project (e.g. main, develop, master). Returns only LONG branches on SonarQube Cloud and BRANCH entries on SonarQube Server β€” names safe for the branch parameter on other tools. For pull requests, use list_pull_requests instead.

    • projectKey - Project key (e.g. my_project) - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
  • list_pull_requests - List all pull requests for a project. Use this tool to discover available pull requests before analyzing their coverage, issues, or quality. Returns the pull request key/ID which can be used with other tools (e.g., search_files_by_coverage, get_file_coverage_details). For long-lived branches, use list_branches instead.

    • projectKey - Project key (e.g. my_project) - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)

Quality Gates

  • get_project_quality_gate_status - Get the Quality Gate Status for the SonarQube project.

    • analysisId - Optional analysis ID - String
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • projectId - Optional project ID - String
    • projectKey - Optional project key - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
  • list_quality_gates - List all quality gates in my SonarQube.

Rules

  • show_rule - Shows detailed information about a SonarQube rule.
    • key - Rule key - Required String

Duplications

  • search_duplicated_files - Search for files with code duplications in a SonarQube project. By default, automatically fetches all duplicated files across all pages (up to 10,000 files max). Returns only files with duplications.

    • projectKey - Project key - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
    • pageSize - Optional number of results per page for manual pagination (max: 500). If not specified, auto-fetches all duplicated files - Integer
    • pageIndex - Optional page number for manual pagination (starts at 1). If not specified, auto-fetches all duplicated files - Integer
  • get_duplications - Get duplications for a file. Require Browse permission on file's project.

    • key - File key - Required String
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String

Sources

  • get_raw_source - Get source code as raw text from SonarQube. Require 'See Source Code' permission on file.

    • key - File key - Required String
    • branch - Optional long-lived branch name (e.g. main, develop). Use list_branches to discover valid names - String
    • pullRequest - Optional pull request key/ID. Use list_pull_requests to discover valid keys - String
  • get_scm_info - Get SCM information of SonarQube source files. Require See Source Code permission on file's project.

    • key - File key - Required String
    • commits_by_line - Group lines by SCM commit if value is false, else display commits for each line - String
    • from - First line to return. Starts at 1 - Number
    • to - Last line to return (inclusive) - Number

System

Note: System tools are only available when connecting to SonarQube Server.

  • get_system_health - Get the health status of SonarQube Server instance. Returns GREEN (fully operational), YELLOW (usable but needs attention), or RED (not operational).

  • get_system_info - Get detailed information about SonarQube Server system configuration including JVM state, database, search indexes, and settings. Requires 'Administer' permissions.

  • get_system_logs - Get SonarQube Server system logs in plain-text format. Requires system administration permission.

    • name - Optional name of the logs to get. Possible values: access, app, ce, deprecation, es, web. Default: app - String
  • ping_system - Ping the SonarQube Server system to check if it's alive. Returns 'pong' as plain text.

  • get_system_status - Get state information about SonarQube Server. Returns status (STARTING, UP, DOWN, RESTARTING, DB_MIGRATION_NEEDED, DB_MIGRATION_RUNNING), version, and id.

Webhooks

  • create_webhook - Create a new webhook for the SonarQube organization or project. Requires 'Administer' permission on the specified project, or global 'Administer' permission.

    • name - Webhook name - Required String
    • url - Webhook URL - Required String
    • projectKey - Optional project key for project-specific webhook - String
    • secret - Optional webhook secret for securing the webhook payload - String
  • list_webhooks - List all webhooks for the SonarQube organization or project. Requires 'Administer' permission on the specified project, or global 'Administer' permission.

    • projectKey - Optional project key to list project-specific webhooks - String

Context Augmentation

<details> <summary>Architecture Tools</summary>
  • search_by_signature_patterns - Find code elements (classes, methods, interfaces, ...) by their declaration signatures using regex patterns.

    • include_code_regex_list - List of regex patterns to match against signatures - Required String[]
    • exclude_code_regex_list - List of regex patterns to exclude from results - String[]
    • include_glob - File filter glob pattern (e.g., *.java) - String
    • exclude_glob - File exclusion glob pattern - String
    • fields - Comma-separated list of fields to include in the response - String
    • limit - Maximum number of results to return (default: 10) - Integer
    • regex_lists_operator - How to combine multiple patterns: OR (default) or AND - String
  • search_by_body_patterns - Find code elements by their implementation body using regex patterns. Useful for locating where APIs or patterns are actually used.

    • include_code_regex_list - List of regex patterns to match in code bodies - Required String[]
    • exclude_code_regex_list - List of regex patterns to exclude from results - String[]
    • include_glob - File filter glob pattern - String
    • exclude_glob - File exclusion glob pattern - String
    • fields - Comma-separated list of fields to include in the response - String
    • limit - Maximum number of results to return (default: 10) - Integer
    • regex_lists_operator - How to combine multiple patterns: OR (default) or AND - String
  • get_upstream_call_flow - Trace what functions call a given function. Useful for finding all callers and entry points, and understanding what breaks if a signature changes.

    • fqn - Fully qualified name of the function - Required String
    • depth - Call chain depth (0=function only, 1=direct callers, etc.) - Integer
    • fields - Comma-separated list of fields to include in the response - String
  • get_downstream_call_flow - Trace what functions a given function calls. Useful for impact analysis and understanding execution flow.

    • fqn - Fully qualified name of the function - Required String
    • depth - Call chain depth (0=function only, 1=direct callees, etc.) - Integer
    • fields - Comma-separated list of fields to include in the response - String
  • get_source_code - Get complete source code (signature and body) for a code element by its fully qualified name.

    • fqn - Fully qualified name of the element - Required String
    • fields - Comma-separated list of fields to include in the response - String
  • get_type_hierarchy - Get the full inheritance hierarchy for a class-like structure (class, interface, enum, record, exception, struct). Essential for understanding inheritance trees and refactoring.

    • fqn - Fully qualified name of the class-like structure - Required String
    • fields - Comma-separated list of fields to include in the response - String
  • get_references - Get direct inbound and outbound code references for a class or module. Returns only direct (non-transitive) references.

    • fqn - Fully qualified name of the class or module - Required String
    • fields - Comma-separated list of fields to include in the response - String
  • get_current_architecture - Get a hierarchical architecture graph filtered by path prefix and depth. Useful for exploring module structure and high-level dependencies.

    • depth - Hierarchy depth (0=root only, 1=root + children, etc.) - Required Integer
    • path_prefix - Optional path prefix to filter nodes (e.g., com.example.service) - String
    • ecosystem - Optional ecosystem to filter by (java, cs, py, js, ts) - String
  • get_intended_architecture - Get user-defined architectural constraints specifying which modules are allowed to depend on others.

</details> <details> <summary>Guidelines Tools</summary>
  • get_guidelines - Get coding guidelines based on SonarQube project issues, catalog categories, or a combination of both.
    • mode - Guidelines retrieval mode: project_based, category_based, or combined - Required String
    • categories - List of category names (required for category_based and combined modes) - String[]
    • languages - List of target languages in SonarQube repository key format (required when categories is provided) - String[]
    • file_paths - Optional list of file paths to filter guidelines by - String[]
</details> <details> <summary>Third-party Dependency Tools</summary>
  • check_dependency - Check a third-party dependency for security vulnerabilities, supply-chain malware, and license compliance before adding or updating it.
    • purl - Package URL (purl) with version, per purl-spec. Format: pkg:<type>/<namespace>/<name>@<version> (e.g. pkg:npm/lodash@4.17.21, pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1, pkg:pypi/django@3.2.0) - Required String
</details> <details> <summary>Context Augmentation Environment Variables</summary>
VariableDescriptionRequiredDefault
SONARQUBE_URLSonarQube Cloud URLYeshttps://sonarcloud.io
SONARQUBE_TOKENAuthentication tokenYesNone
SONARQUBE_ORGOrganization key on SonarQube CloudYesNone
SONARQUBE_PROJECT_KEYProject key on SonarQube CloudYesNone
SONAR_SQ_BRANCHExplicit SonarQube branch override *NoNone
SONARQUBE_DEBUG_ENABLEDActivate debug logging (for troubleshooting)NoFalse
SONAR_LOG_LEVELLogging verbosity (TRACE, DEBUG, INFO, WARNING, ERROR)NoINFO
  • To be provided when not using git, or when the git branch name doesn't match the branch name in SonarQube.
</details> <details> <summary>Project-Specific Configuration (Recommended)</summary>

First, export the SONARQUBE_TOKEN environment variable with a valid Personal Access Token (PAT) for your project.

Copy & paste β€” that's it
# macOS/Linux (Bash/Zsh)
export SONARQUBE_TOKEN="{<YourUserToken>}"

Then, mount the project workspace to give the Context Augmentation server direct access to your source files:

Copy & paste β€” that's it
{
  "mcpServers": {
    "sonarqube-mcp-server": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm", "--pull=always",
        "-e", "SONARQUBE_URL",
        "-e", "SONARQUBE_TOKEN",
        "-e", "SONARQUBE_ORG",
        "-e", "SONARQUBE_PROJECT_KEY",
        "-e", "SONARQUBE_TOOLSETS",
        "-v", "/ABSOLUTE/PATH/TO/YOUR/PROJECT:/app/mcp-workspace:rw",
        "sonarsource/sonarqube-mcp"
      ],
      "env": {
        "SONARQUBE_URL": "https://sonarcloud.io",
        "SONARQUBE_ORG": "<YourOrganizationKey>",
        "SONARQUBE_PROJECT_KEY": "<YourProjectKey>",
        "SONARQUBE_TOOLSETS": "cag"
      }
    }
  }
}

Important: In a project-scoped config, do not put SONARQUBE_TOKEN in the env block. Export it as an environment variable (export SONARQUBE_TOKEN=...). Docker will forward it into the container via -e SONARQUBE_TOKEN.

</details>

Agentic Readiness

Note: Agentic Readiness tools are only available on SonarQube Cloud and require the feature to be enabled for your organization.

  • start_agentic_readiness_assessment - Start an agentic readiness assessment for a project. Returns immediately with status PENDING and an assessmentId. Use get_agentic_readiness_assessment to poll for results.

    • projectKey - The project key - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • branch - Branch to assess. Omit to use the project's default branch - String
  • get_agentic_readiness_assessment - Retrieve the result of an assessment. Re-call with the same assessmentId until status is COMPLETED, FAILED, or INTERRUPTED. When completed, returns the overall level and a per-pillar breakdown with recommended actions and evidence.

    • assessmentId - The assessment ID returned by start_agentic_readiness_assessment - Required String
  • list_agentic_readiness_assessments - List all assessments for a project, newest first. Use get_agentic_readiness_assessment for full pillar-level results.

    • projectKey - The project key to list assessments for - Required String (Ignored when SONARQUBE_PROJECT_KEY is defined)
    • branch - Filter assessments by branch name. Omit to list assessments for all branches - String
    • pageIndex - 1-based page index (default: 1) - Number
    • pageSize - Number of items per page, max 100 (default: 50) - Number

Example Prompts

Once you've set up the SonarQube MCP Server, here are some example prompts for common real-world scenarios:

<details> <summary>Fixing a Failing Quality Gate</summary>
Copy & paste β€” that's it
My quality gate is failing for my project. Can you help me understand why and fix the most critical issues?
Copy & paste β€” that's it
The quality gate on my feature branch is red. What do I need to fix to get it passing before I can merge to main?
</details> <details> <summary>Pre-Release and Pre-Merge Checks</summary>
Copy & paste β€” that's it
I'm about to merge my pull request <#247> for the <web-app> project. Can you check if there are any quality issues I should address first?
Copy & paste β€” that's it
We're deploying to production tomorrow. Can you check the quality gate status and alert me to any critical issues in this branch?
</details> <details> <summary>Improving Code Quality</summary>
Copy & paste β€” that's it
I want to reduce technical debt in my project. What are the top issues I should prioritize?
Copy & paste β€” that's it
Our code coverage dropped below 70%. Can you identify which files have the lowest coverage and help me improve it?
</details> <details> <summary>Understanding and Fixing Issues</summary>
Copy & paste β€” that's it
I have 15 new code smells in my latest commit. Can you explain what they are and help me fix them?
Copy & paste β€” that's it
SonarQube flagged a critical security vulnerability in <AuthController.java>. What's the issue and how do I fix it?
</details> <details> <summary>Security and Dependency Management</summary>
Copy & paste β€” that's it
We need to pass a security audit. Can you check all our projects for security vulnerabilities and create a prioritized list of what needs to be fixed?
Copy & paste β€” that's it
Are there any known vulnerabilities in our dependencies? Check this project for dependency risks.
</details> <details> <summary>Code Review Assistance</summary>
Copy & paste β€” that's it
I just wrote this authentication function. Can you analyze it for security issues and code quality problems before I commit?
Copy & paste β€” that's it
Review the changes in <src/database/migrations> for any potential bugs or security issues.
</details> <details> <summary>Project Health Monitoring</summary>
Copy & paste β€” that's it
Give me a health report for my project: quality gate status, number of bugs, Security Hotspots, and code coverage.
Copy & paste β€” that's it
Compare code quality between our main branch and the develop branch. Are we introducing new issues?
</details> <details> <summary>Team Collaboration</summary>
Copy & paste β€” that's it
What are the most common rule violations across all our projects? We might need to update our coding standards.
Copy & paste β€” that's it
Show me all the issues that were marked as false positives in the last month. Are we seeing patterns that suggest our rules need adjustment?
</details>

Build

Prefer the sonarsource/sonarqube-mcp container image.

To run the server as a standalone JAR without Docker, download a pre-built release from the SonarSource binaries repository. Every released version is published there as sonarqube-mcp-server-<version>.jar (for example, sonarqube-mcp-server-1.19.0.2785.jar).

<details> <summary>Run from JAR</summary>

Download the JAR for the version you want from the binaries repository, then configure your MCP client to run it with Java 21 or later:

  • To connect with SonarQube Cloud:
Copy & paste β€” that's it
{
  "sonarqube": {
    "command": "java",
    "args": [
      "-jar",
      "<path_to_sonarqube_mcp_server_jar>"
    ],
    "env": {
      "STORAGE_PATH": "<path_to_your_mcp_storage>",
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>"
    }
  }
}
  • To connect with SonarQube Server:
Copy & paste β€” that's it
{
  "sonarqube": {
    "command": "java",
    "args": [
      "-jar",
      "<path_to_sonarqube_mcp_server_jar>"
    ],
    "env": {
      "STORAGE_PATH": "<path_to_your_mcp_storage>",
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_URL": "<url>"
    }
  }
}
</details> <details> <summary>Build from source</summary>

SonarQube MCP Server requires a Java Development Kit (JDK) version 21 or later to build.

Run the following Gradle command to clean the project and build the application:

Copy & paste β€” that's it
./gradlew clean build -x test

The JAR file will be created in build/libs/.

After adding or updating dependencies, regenerate the lock files:

Copy & paste β€” that's it
./gradlew :dependencies --write-locks
./gradlew :its:dependencies --write-locks

Use the Run from JAR configuration above, pointing <path_to_sonarqube_mcp_server_jar> to the JAR in build/libs/.

</details>

Data and telemetry

This server collects anonymous usage data and sends it to SonarSource to help improve the product. No source code or IP address is collected, and SonarSource does not share the data with anyone else. Collection of telemetry can be disabled with the following system property or environment variable: TELEMETRY_DISABLED=true. Click here to see a sample of the data that are collected.

License

Copyright 2025 SonarSource.

Licensed under the SONAR Source-Available License v1.0. Using the SonarQube MCP Server in compliance with this documentation is a Non-Competitive Purpose and so is allowed under the SSAL.

Your use of SonarQube via MCP is governed by the SonarQube Cloud Terms of Service or SonarQube Server Terms and Conditions, including use of the Results Data solely for your internal software development purposes.