SonarQube MCP Server
Featuredby
Provides a Model Context Protocol (MCP) server that integrates code quality and security analysis with SonarQube Cloud or Server, supporting direct analysis of code snippets within the agent context.
SonarQube MCP Server Overview
What is SonarQube MCP Server about?
Enables seamless communication between MCP‑compatible agents and SonarQube (Cloud or self‑hosted) to run static analysis, retrieve issues, measures, and security insights.
How to use SonarQube MCP Server?
- Quick start with Docker – pull the official image
mcp/sonarqubeand run it, passing the required environment variables (SONARQUBE_TOKENplus eitherSONARQUBE_ORGfor Cloud orSONARQUBE_URLfor Server). - Manual Java launch – build the JAR with JDK 21+, then start it via
java -jar <jar‑file>while providingSTORAGE_PATHand the same authentication variables. - Configure in MCP client – add a server entry pointing to the Docker command or the Java JAR, specifying the
command,args, andenvsections shown in the README. - Run analyses – use MCP tools such as
analyze_code_snippet,search_sonar_issues_in_projects,get_component_measures, etc., from any supported client.
Key features of SonarQube MCP Server
- Unified access to SonarQube Cloud and self‑hosted instances via a single MCP endpoint.
- Code‑snippet analysis without needing a full project checkout.
- Full‑stack API coverage: issues, measures, metrics, quality gates, rules, source retrieval, and system health.
- Docker‑first distribution with automatic storage handling.
- Custom certificate support for self‑signed or private‑CA SonarQube servers.
- Telemetry (opt‑out) to help SonarSource improve the product.
Use cases of SonarQube MCP Server
- Integrating static analysis into CI pipelines that run in isolated containers.
- Providing on‑the‑fly code quality feedback inside IDE extensions or AI assistants.
- Centralising security and quality metrics for multi‑repo environments.
- Enabling custom tooling (e.g., code‑review bots) to query SonarQube data without direct API calls.
- Supporting organizations that need to run SonarQube behind strict network policies using custom certificates.
FAQ for SonarQube MCP Server
Q: Do I need to build the project from source? A: No. The recommended approach is to use the pre‑built Docker image. Building is only necessary for custom modifications.
Q: Which JDK version is required? A: JDK 21 or later.
Q: How do I store analysis results?
A: Set STORAGE_PATH to a writable directory. In Docker it is provided automatically; for manual Java runs you must mount a volume.
Q: Can I use the server with a self‑signed certificate? A: Yes. Mount the certificate directory into the container (or add it to the Java trust store) as described in the Custom Certificates section.
Q: How do I disable telemetry?
A: Set the environment variable TELEMETRY_DISABLED=true before starting the server.
SonarQube MCP Server's README
SonarQube MCP Server
The SonarQube MCP Server is a Model Context Protocol (MCP) server that enables seamless integration with SonarQube Server or Cloud for code quality and security. It also supports the analysis of code snippet directly within the agent context.
Quick setup
The simplest method is to rely on our Docker image hosted at mcp/sonarqube. Read below for how to build locally.
Cursor
- To connect with SonarQube Cloud:
- To connect with SonarQube Server:
Claude Code
- To connect with SonarQube Cloud:
claude mcp add sonarqube --env SONARQUBE_TOKEN=<token> --env SONARQUBE_ORG=<org> -- docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG mcp/sonarqube
- To connect with SonarQube Server:
claude mcp add sonarqube --env SONARQUBE_TOKEN=<token> --env SONARQUBE_URL=<url> -- docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_URL mcp/sonarqube
Windsurf
SonarQube MCP Server is available as a Windsurf plugin. Follow these instructions:
- Click on the
Pluginsbutton at the top right of the Cascade view - Search for
sonarqubeon the Plugin store - Click
Install - Add the required SonarQube token. Then add the organization key if you want to connect with SonarQube Cloud, or the SonarQube URL if you want to connect to SonarQube Server or Community Build.
VS Code
You can use the following buttons to simplify the installation process within VS Code.
Manual installation
You can manually install the SonarQube MCP server by copying the following snippet in the MCP servers configuration file:
- To connect with SonarQube Cloud:
{
"sonarqube": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"SONARQUBE_TOKEN",
"-e",
"SONARQUBE_ORG",
"mcp/sonarqube"
],
"env": {
"SONARQUBE_TOKEN": "<token>",
"SONARQUBE_ORG": "<org>"
}
}
}
- To connect with SonarQube Server:
{
"sonarqube": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"SONARQUBE_TOKEN",
"-e",
"SONARQUBE_URL",
"mcp/sonarqube"
],
"env": {
"SONARQUBE_TOKEN": "<token>",
"SONARQUBE_URL": "<url>"
}
}
}
Build
SonarQube MCP Server requires a Java Development Kit (JDK) version 21 or later to build.
Run the following Gradle command to clean the project and build the application:
./gradlew clean build -x test
The JAR file will be created in build/libs/.
You will then need to manually copy and paste the MCP configuration, as follows:
- To connect with SonarQube Cloud:
{
"sonarqube": {
"command": "java",
"args": [
"-jar",
"<path_to_sonarqube_mcp_server_jar>"
],
"env": {
"STORAGE_PATH": "<path_to_your_mcp_storage>",
"SONARQUBE_TOKEN": "<token>",
"SONARQUBE_ORG": "<org>"
}
}
}
- To connect with SonarQube Server:
{
"sonarqube": {
"command": "java",
"args": [
"-jar",
"<path_to_sonarqube_mcp_server_jar>"
],
"env": {
"STORAGE_PATH": "<path_to_your_mcp_storage>",
"SONARQUBE_TOKEN": "<token>",
"SONARQUBE_URL": "<url>"
}
}
}
Configuration
Depending on your environment, you should provide specific environment variables.
Mandatory
You should add the following variable when running the MCP Server:
| Environment variable | Description |
|---|---|
STORAGE_PATH |
An absolute path to a writable directory where SonarQube MCP Server will store its files (e.g., for creation, updates, and persistence), it is automatically provided when using Docker |
SonarQube Cloud
To enable full functionality, the following environment variables must be set before starting the server:
| Environment variable | Description |
|---|---|
SONARQUBE_TOKEN |
Your SonarQube Cloud token |
SONARQUBE_ORG |
Your SonarQube Cloud organization key |
SonarQube Server
| Environment variable | Description |
|---|---|
SONARQUBE_TOKEN |
Your SonarQube Server USER token |
SONARQUBE_URL |
Your SonarQube Server URL |
Custom Certificates
If your SonarQube Server uses a self-signed certificate or a certificate from a private Certificate Authority (CA), you can add custom certificates to the Docker container that will automatically be installed.
Using Docker Volume Mount
Mount a directory containing your certificates when running the container:
docker run -i --rm \
-v /path/to/your/certificates/:/usr/local/share/ca-certificates/:ro \
-e SONARQUBE_TOKEN="<token>" \
-e SONARQUBE_URL="<url>" \
mcp/sonarqube
Supported Certificate Formats
The container supports the following certificate formats:
.crtfiles (PEM or DER encoded).pemfiles (PEM encoded)
MCP Configuration with Certificates
When using custom certificates, you can modify your MCP configuration to mount the certificates:
{
"sonarqube": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-v",
"/path/to/your/certificates/:/usr/local/share/ca-certificates/:ro",
"-e",
"SONARQUBE_TOKEN",
"-e",
"SONARQUBE_URL",
"mcp/sonarqube"
],
"env": {
"SONARQUBE_TOKEN": "<token>",
"SONARQUBE_URL": "<url>"
}
}
}
Tools
Analysis
- analyze_code_snippet - Analyze a code snippet with SonarQube analyzers to find SonarQube issues in it.
codeSnippet- Code snippet or full file content - Required Stringlanguage- Optional language of the code snippet - String
Dependency Risks
Note: Dependency risks are only available when connecting to SonarQube Server 2025.4 Enterprise or higher with SonarQube Advanced Security enabled.
- search_dependency_risks - Search for software composition analysis issues (dependency risks) of a project, paired with releases that appear in the analyzed project, application, or portfolio.
projectKey- Project key - StringbranchKey- Optional branch key - StringpullRequestKey- Optional pull request key - String
Languages
- list_languages - List all programming languages supported in this instance
q- Optional pattern to match language keys/names against - String
Issues
-
change_sonar_issue_status - Change the status of a SonarQube issue to "accept", "falsepositive" or to "reopen" an issue
key- Issue key - Required Stringstatus- New issue's status - Required Enum {"accept", "falsepositive", "reopen"}
-
search_sonar_issues_in_projects - Search for SonarQube issues in my organization's projects
projects- Optional list of Sonar projects - String[]pullRequestId- Optional Pull Request's identifier - Stringp- Optional page number (default: 1) - Integerps- Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer
Measures
- get_component_measures - Get measures for a component (project, directory, file)
component- Optional component key to get measures for - Stringbranch- Optional branch to analyze for measures - StringmetricKeys- Optional metric keys to retrieve (e.g. nloc, complexity, violations, coverage) - String[]pullRequest- Optional pull request identifier to analyze for measures - String
Metrics
- search_metrics - Search for metrics
p- Optional page number (default: 1) - Integerps- Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer
Projects
- search_my_sonarqube_projects - Find Sonar projects in my organization
page- Optional page number - String
Quality Gates
-
get_project_quality_gate_status - Get the Quality Gate Status for the project
analysisId- Optional analysis ID - Stringbranch- Optional branch key - StringprojectId- Optional project ID - StringprojectKey- Optional project key - StringpullRequest- Optional pull request ID - String
-
list_quality_gates - List all quality gates in the organization
Rules
-
list_rule_repositories - List rule repositories available in SonarQube
language- Optional language key - Stringq- Optional search query - String
-
show_rule - Shows detailed information about a SonarQube rule
key- Rule key - Required String
Sources
-
get_raw_source - Get source code as raw text. Require 'See Source Code' permission on file
key- File key - Required Stringbranch- Optional branch key - StringpullRequest- Optional pull request id - String
-
get_scm_info - Get SCM information of source files. Require See Source Code permission on file's project
key- File key - Required Stringcommits_by_line- Group lines by SCM commit if value is false, else display commits for each line - Stringfrom- First line to return. Starts at 1 - Numberto- Last line to return (inclusive) - Number
System
Note: System tools are only available when connecting to SonarQube Server.
-
get_system_health - Get the health status of SonarQube Server instance
-
get_system_info - Get detailed information about SonarQube Server system configuration including JVM state, database, search indexes, and settings. Requires 'Administer' permissions
-
get_system_logs - Get SonarQube Server system logs in plain-text format. Requires system administration permission
name- Optional name of the logs to get. Possible values: access, app, ce, deprecation, es, web. Default: app - String
-
ping_system - Ping the SonarQube Server system to check if it's alive
-
get_system_status - Get state information about SonarQube Server
Troubleshooting
Applications logs will be written to the STORAGE_PATH/logs/mcp.log file.
Data and telemetry
This server collects anonymous usage data and sends it to SonarSource to help improve the product. No source code or IP address is collected, and SonarSource does not share the data with anyone else. Collection of telemetry can be disabled with the following system property or environment variable: TELEMETRY_DISABLED=true. Click here to see a sample of the data that are collected.
License
Copyright 2025 SonarSource.
Licensed under the SONAR Source-Available License v1.0
SonarQube MCP Server Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
SonarQube MCP Server's Information
- Author
- SonarSource
- Category
- Development Tools
- Language
- Java
- License
- Other
- Stars
- 74
- Updated
- about 2 months ago
Related MCP Servers
Discover more MCP servers with similar functionality and use cases
Zed
OfficialClientby zed-industries
Provides real-time collaborative editing powered by Rust, enabling developers to edit code instantly across machines with a responsive, GPU-accelerated UI.
Cline
Clientby cline
Provides autonomous coding assistance directly in the IDE, enabling file creation, editing, terminal command execution, browser interactions, and tool extension with user approval at each step.
Continue
Clientby continuedev
Provides continuous AI assistance across IDEs, terminals, and CI pipelines, offering agents, chat, inline editing, and autocomplete to accelerate software development.
GitHub MCP Server
by github
Enables AI agents, assistants, and chatbots to interact with GitHub via natural‑language commands, providing read‑write access to repositories, issues, pull requests, workflows, security data and team activity.
Goose
Clientby block
Automates engineering tasks by installing, executing, editing, and testing code using any large language model, providing end‑to‑end project building, debugging, workflow orchestration, and external API interaction.
Roo Code
OfficialClientby RooCodeInc
An autonomous coding agent that lives inside VS Code, capable of generating, refactoring, debugging code, managing files, running terminal commands, controlling a browser, and adapting its behavior through custom modes and instructions.
Mcp Agent
Clientby lastmile-ai
A lightweight, composable framework for building AI agents using Model Context Protocol and simple workflow patterns.
Firebase CLI
by firebase
Provides a command‑line interface to manage, test, and deploy Firebase projects, covering hosting, databases, authentication, cloud functions, extensions, and CI/CD workflows.
Gptme
Clientby gptme
Empowers large language models to act as personal AI assistants directly inside the terminal, providing capabilities such as code execution, file manipulation, web browsing, vision, and interactive tool usage.