SonarQube MCP Server

The SonarQube MCP Server is a Model Context Protocol (MCP) server that enables seamless integration with SonarQube Server or Cloud for code quality and security. It also supports the analysis of code snippet directly within the agent context.

Quick setup

The simplest method is to rely on our container image hosted at mcp/sonarqube. Read below if you want to build it locally.

Note: While the examples below use docker, any OCI-compatible container runtime works (e.g., Podman, nerdctl). Simply replace docker with your preferred tool.

Security Best Practices

🔒 Important: Your SonarQube token is a sensitive credential. Follow these security practices:

When using CLI commands:

• Avoid hardcoding tokens in command-line arguments - they get saved in shell history
• Use environment variables - set tokens in environment variables before running commands

When using configuration files:

• Never commit tokens to version control
• Use environment variable substitution in config files when possible

Claude Code

• To connect with SonarQube Cloud:

claude mcp add sonarqube \
  --env SONARQUBE_TOKEN=$SONAR_TOKEN \
  --env SONARQUBE_ORG=$SONAR_ORG \
  -- docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG mcp/sonarqube

For SonarQube Cloud US, add --env SONARQUBE_URL=https://sonarqube.us to the command.

• To connect with SonarQube Server:

claude mcp add sonarqube \
  --env SONARQUBE_TOKEN=$SONAR_USER_TOKEN \
  --env SONARQUBE_URL=$SONAR_URL \
  -- docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_URL mcp/sonarqube

Codex CLI

Manually edit the configuration file at ~/.codex/config.toml and add the following configuration:

• To connect with SonarQube Cloud:

[mcp_servers.sonarqube]
command = "docker"
args = ["run", "--rm", "-i", "-e", "SONARQUBE_TOKEN", "-e", "SONARQUBE_ORG", "mcp/sonarqube"]
env = { "SONARQUBE_TOKEN" = "<YOUR_USER_TOKEN>", "SONARQUBE_ORG" = "<YOUR_ORG>" }

For SonarQube Cloud US, add "SONARQUBE_URL" = "https://sonarqube.us" to the env section and "-e", "SONARQUBE_URL" to the args array.

• To connect with SonarQube Server:

[mcp_servers.sonarqube]
command = "docker"
args = ["run", "--rm", "-i", "-e", "SONARQUBE_TOKEN", "-e", "SONARQUBE_URL", "mcp/sonarqube"]
env = { "SONARQUBE_TOKEN" = "<YOUR_TOKEN>", "SONARQUBE_URL" = "<YOUR_SERVER_URL>" }

Cursor

• To connect with SonarQube Cloud:

For SonarQube Cloud US, manually add "SONARQUBE_URL": "https://sonarqube.us" to the env section in your MCP configuration after installation.

• To connect with SonarQube Server:

Gemini CLI

You can install our MCP server extension by using the following command:

gemini extensions install https://github.com/SonarSource/sonarqube-mcp-server

You will need to set the required environment variables before starting Gemini:

Environment Variables Required:

• For SonarQube Cloud:

  • SONARQUBE_TOKEN - Your SonarQube Cloud token
  • SONARQUBE_ORG - Your organization key
  • SONARQUBE_URL - (Optional) Set to https://sonarqube.us for SonarQube Cloud US

• For SonarQube Server:

  • SONARQUBE_TOKEN - Your SonarQube Server USER token
  • SONARQUBE_URL - Your SonarQube Server URL

Once installed, the extension will be installed under <home>/.gemini/extensions/sonarqube-mcp-server/gemini-extension.json.

GitHub Copilot CLI

After starting Copilot CLI, run the following command to add the SonarQube MCP server:

/mcp add

You will have to provide different information about the MCP server, you can use tab to navigate between fields.

• To connect with SonarQube Cloud:

Server Name: sonarqube
Server Type: Local (Press 1)
Command: docker
Arguments: run, --rm, -i, -e, SONARQUBE_TOKEN, -e, SONARQUBE_ORG, mcp/sonarqube
Environment Variables: SONARQUBE_TOKEN=<YOUR_TOKEN>,SONARQUBE_ORG=<YOUR_ORG>
Tools: *

For SonarQube Cloud US, add -e, SONARQUBE_URL to Arguments and SONARQUBE_URL=https://sonarqube.us to Environment Variables.

• To connect with SonarQube Server:

Server Name: sonarqube
Server Type: Local (Press 1)
Command: docker
Arguments: run, --rm, -i, -e, SONARQUBE_TOKEN, -e, SONARQUBE_URL, mcp/sonarqube
Environment Variables: SONARQUBE_TOKEN=<YOUR_USER_TOKEN>,SONARQUBE_URL=<YOUR_SERVER_URL>
Tools: *

The configuration file is located at ~/.copilot/mcp-config.json.

GitHub Copilot coding agent

GitHub Copilot coding agent can leverage the SonarQube MCP server directly in your CI/CD.

To add the secrets to your Copilot environment, follow the Copilot documentation. Only secrets with names prefixed with COPILOT_MCP_ will be available to your MCP configuration.

In your GitHub repository, navigate under Settings -> Copilot -> Coding agent, and add the following configuration in the MCP configuration section:

• To connect with SonarQube Cloud:

{
  "mcpServers": {
    "sonarqube": {
      "type": "local",
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-e",
        "SONARQUBE_TOKEN=$SONAR_TOKEN",
        "-e",
        "SONARQUBE_ORG=$SONAR_ORG",
        "mcp/sonarqube"
      ],
      "env": {
        "SONAR_TOKEN": "COPILOT_MCP_SONARQUBE_TOKEN",
        "SONAR_ORG": "COPILOT_MCP_SONARQUBE_ORG"
      },
      "tools": ["*"]
    }
  }
}

For SonarQube Cloud US, add "-e", "SONARQUBE_URL=$SONAR_URL" to the args array and "SONAR_URL": "COPILOT_MCP_SONARQUBE_URL" to the env section, then set the secret COPILOT_MCP_SONARQUBE_URL=https://sonarqube.us.

• To connect with SonarQube Server:

{
  "mcpServers": {
    "sonarqube": {
      "type": "local",
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-e",
        "SONARQUBE_TOKEN=$SONAR_TOKEN",
        "-e",
        "SONARQUBE_URL=$SONAR_URL",
        "mcp/sonarqube"
      ],
      "env": {
        "SONAR_TOKEN": "COPILOT_MCP_SONARQUBE_USER_TOKEN",
        "SONAR_URL": "COPILOT_MCP_SONARQUBE_URL"
      },
      "tools": ["*"]
    }
  }
}

Kiro

Create a .kiro/settings/mcp.json file in your workspace directory (or edit if it already exists), add the following configuration:

• To connect with SonarQube Cloud:

{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e", 
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<YOUR_TOKEN>",
        "SONARQUBE_ORG": "<YOUR_ORG>"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

For SonarQube Cloud US, add "-e", "SONARQUBE_URL" to the args array and "SONARQUBE_URL": "https://sonarqube.us" to the env section.

• To connect with SonarQube Server:

{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e", 
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_URL",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<YOUR_USER_TOKEN>",
        "SONARQUBE_URL": "<YOUR_SERVER_URL>"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

VS Code

You can use the following buttons to simplify the installation process within VS Code.

For SonarQube Cloud US, manually add "SONARQUBE_URL": "https://sonarqube.us" to the env section in your MCP configuration after installation.

Windsurf

SonarQube MCP Server is available as a Windsurf plugin. Follow these instructions:

1. Open Windsurf Settings > Cascade > MCP Servers and select Open MCP Marketplace
2. Search for sonarqube on the Cascade MCP Marketplace
3. Choose the SonarQube MCP Server and select Install
4. Add the required SonarQube User token. Then add the organization key if you want to connect with SonarQube Cloud, or the SonarQube URL if you want to connect to SonarQube Server or Community Build.

For SonarQube Cloud US, set the URL to https://sonarqube.us.

Zed

Navigate to the Extensions view in Zed and search for SonarQube MCP Server. When installing the extension, you will be prompted to provide the necessary environment variables:

• When using SonarQube Cloud:

{
  "sonarqube_token": "YOUR_SONARQUBE_TOKEN",
  "sonarqube_org": "SONARQUBE_ORGANIZATION_KEY",
  "docker_path": "DOCKER_PATH"
}

For SonarQube Cloud US, add "sonarqube_url": "https://sonarqube.us" to the configuration.

• When using SonarQube Server:

{
  "sonarqube_token": "YOUR_SONARQUBE_USER_TOKEN",
  "sonarqube_url": "YOUR_SONARQUBE_SERVER_URL",
  "docker_path": "DOCKER_PATH"
}

The docker_path is the path to a docker executable. Examples:

Linux/macOS: /usr/bin/docker or /usr/local/bin/docker

Windows: C:\Program Files\Docker\Docker\resources\bin\docker.exe

Manual installation

You can manually install the SonarQube MCP server by copying the following snippet in the MCP servers configuration file:

• To connect with SonarQube Cloud:

{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_ORG",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>"
    }
  }
}

• To connect with SonarQube Server:

{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_URL",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_URL": "<url>"
    }
  }
}

Integration with SonarQube for IDE

The SonarQube MCP Server can integrate with SonarQube for IDE to further enhance your development workflow, providing better code analysis and insights directly within your IDE.

When using SonarQube for IDE, the SONARQUBE_IDE_PORT environment variable should be set with the correct port number. SonarQube for VS Code includes a Quick Install button, which automatically sets the correct port configuration.

For example, with SonarQube Cloud:

{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_ORG",
      "-e",
      "SONARQUBE_IDE_PORT",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>",
      "SONARQUBE_IDE_PORT": "<64120-64130>"
    }
  }
}

When running the MCP server in a container on Linux, the container cannot access the SonarQube for IDE embedded server running on localhost. To allow the container to connect to the SonarQube for IDE server, add the --network=host option to your container run command.

Build

SonarQube MCP Server requires a Java Development Kit (JDK) version 21 or later to build.

Run the following Gradle command to clean the project and build the application:

./gradlew clean build -x test

The JAR file will be created in build/libs/.

You will then need to manually copy and paste the MCP configuration, as follows:

• To connect with SonarQube Cloud:

{
  "sonarqube": {
    "command": "java",
    "args": [
      "-jar",
      "<path_to_sonarqube_mcp_server_jar>"
    ],
    "env": {
      "STORAGE_PATH": "<path_to_your_mcp_storage>",
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>"
    }
  }
}

• To connect with SonarQube Server:

{
  "sonarqube": {
    "command": "java",
    "args": [
      "-jar",
      "<path_to_sonarqube_mcp_server_jar>"
    ],
    "env": {
      "STORAGE_PATH": "<path_to_your_mcp_storage>",
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_URL": "<url>"
    }
  }
}

Configuration

Depending on your environment, you should provide specific environment variables.

Base

You should add the following variable when running the MCP Server:

Environment variable	Description
STORAGE_PATH	Mandatory absolute path to a writable directory where SonarQube MCP Server will store its files (e.g., for creation, updates, and persistence), it is automatically provided when using the container image
SONARQUBE_IDE_PORT	Optional port number between 64120 and 64130 used to connect SonarQube MCP Server with SonarQube for IDE.

Advanced Analysis

Beta availability: The advanced analysis tool is currently in beta and only available to specific SonarQube Cloud users with access enabled. If your organization does not have access, enabling it will not provide any additional functionality.

Environment variable	Description
SONARQUBE_ADVANCED_ANALYSIS_ENABLED	When set to true on SonarQube Cloud, enables the advanced analysis tool run_advanced_code_analysis. When enabled, it replaces all local analysis tools (analyze_code_snippet, analyze_file_list, toggle_automatic_analysis). On SonarQube Server, the flag is ignored and the server falls back to standard analysis. Default: false.

Selective Tool Enablement

By default, all tools are enabled. You can selectively enable specific toolsets to reduce context overhead and focus on specific functionality.

Environment variable	Description
SONARQUBE_TOOLSETS	Comma-separated list of toolsets to enable. When set, only these toolsets will be available. If not set, all tools are enabled. Note: The projects toolset is always enabled as it's required to find project keys for other operations.
SONARQUBE_READ_ONLY	When set to true, enables read-only mode which disables all write operations (changing issue status for example). This filter is cumulative with SONARQUBE_TOOLSETS if both are set. Default: false.

Available Toolsets

Toolset	Key	Description
Analysis	analysis	Code analysis tools (local analysis and advanced remote analysis)
Issues	issues	Search and manage SonarQube issues
Projects	projects	Browse and search SonarQube projects
Quality Gates	quality-gates	Access quality gates and their status
Rules	rules	Browse and search SonarQube rules
Sources	sources	Access source code and SCM information
Measures	measures	Retrieve metrics and measures (includes both measures and metrics tools)
Languages	languages	List supported programming languages
Portfolios	portfolios	Manage portfolios and enterprises (Cloud and Server)
System	system	System administration tools (Server only)
Webhooks	webhooks	Manage webhooks
Dependency Risks	dependency-risks	Analyze dependency risks and security issues (SCA)

Examples

Enable analysis, issues, and quality gates toolsets (using Docker with SonarQube Cloud):

docker run -i --rm \
  -e SONARQUBE_TOKEN="<token>" \
  -e SONARQUBE_ORG="<org>" \
  -e SONARQUBE_TOOLSETS="analysis,issues,quality-gates" \
  mcp/sonarqube

Note: The projects toolset is always enabled automatically, so you don't need to include it in SONARQUBE_TOOLSETS.

Enable read-only mode (using Docker with SonarQube Cloud):

docker run -i --rm \
  -e SONARQUBE_TOKEN="<token>" \
  -e SONARQUBE_ORG="<org>" \
  -e SONARQUBE_READ_ONLY="true" \
  mcp/sonarqube

SonarQube Cloud

To enable full functionality, the following environment variables must be set before starting the server:

Environment variable	Description	Required
SONARQUBE_TOKEN	Your SonarQube Cloud token	Yes
SONARQUBE_ORG	Your SonarQube Cloud organization key	Yes
SONARQUBE_URL	Custom SonarQube Cloud URL (defaults to https://sonarcloud.io). Use this for SonarQube Cloud US: https://sonarqube.us	No

Examples:

• SonarQube Cloud: Only SONARQUBE_TOKEN and SONARQUBE_ORG are needed
• SonarQube Cloud US: Set SONARQUBE_TOKEN, SONARQUBE_ORG, and SONARQUBE_URL=https://sonarqube.us

SonarQube Server

Environment variable	Description	Required
SONARQUBE_TOKEN	Your SonarQube Server USER token	Yes
SONARQUBE_URL	Your SonarQube Server URL	Yes

⚠️ Connection to SonarQube Server requires a token of type USER and will not function properly if project tokens or global tokens are used.

💡 Configuration Tip: The presence of SONARQUBE_ORG determines whether you're connecting to SonarQube Cloud or Server. If SONARQUBE_ORG is set, SonarQube Cloud is used; otherwise, SonarQube Server is used.

Transport Modes

The SonarQube MCP Server supports three transport modes:

1. Stdio (Default - Recommended for Local Development)

The recommended mode for local development and single-user setups, used by all MCP clients.

Example - Docker with SonarQube Cloud:

{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "SONARQUBE_TOKEN", "-e", "SONARQUBE_ORG", "mcp/sonarqube"],
      "env": {
        "SONARQUBE_TOKEN": "<your-token>",
        "SONARQUBE_ORG": "<your-org>"
      }
    }
  }
}

2. HTTP

Unencrypted HTTP transport. Use HTTPS instead for multi-user deployments.

⚠️ Not Recommended: Use Stdio for local development or HTTPS for multi-user production deployments.

Environment variable	Description	Default
SONARQUBE_TRANSPORT	Set to http to enable HTTP transport	Not set (stdio)
SONARQUBE_HTTP_PORT	Port number (1024-65535)	8080
SONARQUBE_HTTP_HOST	Host to bind (defaults to localhost for security)	127.0.0.1

Note: In HTTP(S) mode, each client sends their own token via the SONARQUBE_TOKEN header. The server's SONARQUBE_TOKEN is only used for initialization.

3. HTTPS (Recommended for Multi-User Production Deployments)

Secure multi-user transport with TLS encryption. Requires SSL certificates.

✅ Recommended for Production: Use HTTPS when deploying the MCP server for multiple users. The server binds to 127.0.0.1 (localhost) by default for security.

Environment variable	Description	Default
SONARQUBE_TRANSPORT	Set to https to enable HTTPS transport	Not set (stdio)
SONARQUBE_HTTP_PORT	Port number (typically 8443 for HTTPS)	8080
SONARQUBE_HTTP_HOST	Host to bind (defaults to localhost for security)	127.0.0.1

SSL Certificate Configuration (Optional):

Environment variable	Description	Default
SONARQUBE_HTTPS_KEYSTORE_PATH	Path to keystore file (.p12 or .jks)	/etc/ssl/mcp/keystore.p12
SONARQUBE_HTTPS_KEYSTORE_PASSWORD	Keystore password	sonarlint
SONARQUBE_HTTPS_KEYSTORE_TYPE	Keystore type (PKCS12 or JKS)	PKCS12

Example - Docker with SonarQube Cloud:

docker run -p 8443:8443 \
  -v $(pwd)/keystore.p12:/etc/ssl/mcp/keystore.p12:ro \
  -e SONARQUBE_TRANSPORT=https \
  -e SONARQUBE_HTTP_PORT=8443 \
  -e SONARQUBE_TOKEN="<init-token>" \
  -e SONARQUBE_ORG="<your-org>" \
  mcp/sonarqube

Client Configuration:

{
  "mcpServers": {
    "sonarqube-https": {
      "url": "https://your-server:8443/mcp",
      "headers": {
        "SONARQUBE_TOKEN": "<your-token>"
      }
    }
  }
}

Note: For local development, use Stdio transport instead (the default). HTTPS is intended for multi-user production deployments with proper SSL certificates.

Custom Certificates

If your SonarQube Server uses a self-signed certificate or a certificate from a private Certificate Authority (CA), you can add custom certificates to the container that will automatically be installed.

Configuration

Using Volume Mount

Mount a directory containing your certificates when running the container:

docker run -i --rm \
  -v /path/to/your/certificates/:/usr/local/share/ca-certificates/:ro \
  -e SONARQUBE_TOKEN="<token>" \
  -e SONARQUBE_URL="<url>" \
  mcp/sonarqube

Supported Certificate Formats

The container supports the following certificate formats:

• .crt files (PEM or DER encoded)
• .pem files (PEM encoded)

MCP Configuration with Certificates

When using custom certificates, you can modify your MCP configuration to mount the certificates:

{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-v",
      "/path/to/your/certificates/:/usr/local/share/ca-certificates/:ro",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_URL",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_URL": "<url>"
    }
  }
}

Proxy

The SonarQube MCP Server supports HTTP proxies through standard Java proxy system properties.

Configuration

Configuring Proxy Settings

You can configure proxy settings using Java system properties. These can be set as environment variables or passed as JVM arguments.

Common Proxy Properties:

Property	Description	Example
http.proxyHost	HTTP proxy hostname	proxy.example.com
http.proxyPort	HTTP proxy port	8080
https.proxyHost	HTTPS proxy hostname	proxy.example.com
https.proxyPort	HTTPS proxy port	8443
http.nonProxyHosts	Hosts that bypass the proxy (pipe-separated)	localhost|127.0.0.1|*.internal.com

Proxy Authentication

If your proxy requires authentication, the SonarQube MCP Server uses Java's standard authentication mechanism. You can set up proxy credentials using Java system properties:

Property	Description	Example
http.proxyUser	HTTP proxy username	myuser
http.proxyPassword	HTTP proxy password	mypassword
https.proxyUser	HTTPS proxy username	myuser
https.proxyPassword	HTTPS proxy password	mypassword

Tools

Analysis

• analyze_code_snippet - Analyze a file or code snippet with SonarQube analyzers to identify code quality and security issues. Specify the language of the snippet to improve analysis accuracy.
  • codeSnippet - Code snippet or full file content - Required String
  • language - Optional language of the code snippet - String
  • scope - Optional scope of the file: MAIN or TEST (default: MAIN) - String

When integration with SonarQube for IDE is enabled:

• analyze_file_list - Analyze files in the current working directory using SonarQube for IDE. This tool connects to a running SonarQube for IDE instance to perform code quality analysis on a list of files.

  • file_absolute_paths - List of absolute file paths to analyze - Required String[]

• toggle_automatic_analysis - Enable or disable SonarQube for IDE automatic analysis. When enabled, SonarQube for IDE will automatically analyze files as they are modified in the working directory. When disabled, automatic analysis is turned off.

  • enabled - Enable or disable the automatic analysis - Required Boolean

When advanced analysis is enabled (SONARQUBE_ADVANCED_ANALYSIS_ENABLED=true):

Beta availability: The advanced analysis tool is currently in beta and only available to specific SonarQube Cloud users with access enabled.

• run_advanced_code_analysis - Run advanced code analysis on SonarQube Cloud for a single file. Organization is inferred from MCP configuration.
  • projectKey - The key of the project - Required String
  • branchName - Branch name used to retrieve the latest analysis context - Required String
  • filePath - Project-relative path of the file to analyze (e.g., 'src/main/java/MyClass.java') - Required String
  • fileContent - The original content of the file to analyze - Required String
  • fileScope - Defines in which scope the file originates from: 'MAIN' or 'TEST' (default: MAIN) - String

Dependency Risks

Note: Dependency risks are only available when connecting to SonarQube Server 2025.4 Enterprise or higher with SonarQube Advanced Security enabled.

• search_dependency_risks - Search for software composition analysis issues (dependency risks) of a SonarQube project, paired with releases that appear in the analyzed project, application, or portfolio.
  • projectKey - Project key - String
  • branchKey - Optional branch key - String
  • pullRequestKey - Optional pull request key - String

Enterprises

Note: Enterprises are only available when connecting to SonarQube Cloud.

• list_enterprises - List the enterprises available in SonarQube Cloud that you have access to. Use this tool to discover enterprise IDs that can be used with other tools.
  • enterpriseKey - Optional enterprise key to filter results - String

Issues

• change_sonar_issue_status - Change the status of a SonarQube issue to "accept", "falsepositive" or to "reopen" an issue.

  • key - Issue key - Required String
  • status - New issue's status - Required Enum {"accept", "falsepositive", "reopen"}

• search_sonar_issues_in_projects - Search for SonarQube issues in my organization's projects.

  • projects - Optional list of Sonar projects - String[]
  • branch - Optional branch name to search for issues in - String
  • pullRequestId - Optional Pull Request's identifier - String
  • severities - Optional list of severities to filter by. Possible values: INFO, LOW, MEDIUM, HIGH, BLOCKER - String[]
  • impactSoftwareQualities - Optional list of software qualities to filter by. Possible values: MAINTAINABILITY, RELIABILITY, SECURITY - String[]
  • issueStatuses - Optional list of issue statuses to filter by. Possible values: OPEN, CONFIRMED, FALSE_POSITIVE, ACCEPTED, FIXED, IN_SANDBOX - String[]
  • issueKey - Optional issue key to fetch a specific issue - String
  • p - Optional page number (default: 1) - Integer
  • ps - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer

Languages

• list_languages - List all programming languages supported in this SonarQube instance.
  • q - Optional pattern to match language keys/names against - String

Measures

• get_component_measures - Get SonarQube measures for a component (project, directory, file).
  • component - Optional component key to get measures for - String
  • branch - Optional branch to analyze for measures - String
  • metricKeys - Optional metric keys to retrieve (e.g. ncloc, complexity, violations, coverage) - String[]
  • pullRequest - Optional pull request identifier to analyze for measures - String

Metrics

• search_metrics - Search for SonarQube metrics.
  • p - Optional page number (default: 1) - Integer
  • ps - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer

Portfolios

• list_portfolios - List enterprise portfolios available in SonarQube with filtering and pagination options.

  For SonarQube Server:

  • q - Optional search query to filter portfolios by name or key - String
  • favorite - If true, only returns favorite portfolios - Boolean
  • pageIndex - Optional 1-based page number (default: 1) - Integer
  • pageSize - Optional page size, max 500 (default: 100) - Integer

  For SonarQube Cloud:

  • enterpriseId - Enterprise uuid. Can be omitted only if 'favorite' parameter is supplied with value true - String
  • q - Optional search query to filter portfolios by name - String
  • favorite - Required to be true if 'enterpriseId' parameter is omitted. If true, only returns portfolios favorited by the logged-in user. Cannot be true when 'draft' is true - Boolean
  • draft - If true, only returns drafts created by the logged-in user. Cannot be true when 'favorite' is true - Boolean
  • pageIndex - Optional index of the page to fetch (default: 1) - Integer
  • pageSize - Optional size of the page to fetch (default: 50) - Integer

Projects

• search_my_sonarqube_projects - Find SonarQube projects. The response is paginated.
  • page - Optional page number - String

Quality Gates

• get_project_quality_gate_status - Get the Quality Gate Status for the SonarQube project.

  • analysisId - Optional analysis ID - String
  • branch - Optional branch key - String
  • projectId - Optional project ID - String
  • projectKey - Optional project key - String
  • pullRequest - Optional pull request ID - String

• list_quality_gates - List all quality gates in my SonarQube.

Rules

• list_rule_repositories - List rule repositories available in SonarQube.

  • language - Optional language key - String
  • q - Optional search query - String

• show_rule - Shows detailed information about a SonarQube rule.

  • key - Rule key - Required String

Sources

• get_raw_source - Get source code as raw text from SonarQube. Require 'See Source Code' permission on file.

  • key - File key - Required String
  • branch - Optional branch key - String
  • pullRequest - Optional pull request id - String

• get_scm_info - Get SCM information of SonarQube source files. Require See Source Code permission on file's project.

  • key - File key - Required String
  • commits_by_line - Group lines by SCM commit if value is false, else display commits for each line - String
  • from - First line to return. Starts at 1 - Number
  • to - Last line to return (inclusive) - Number

System

Note: System tools are only available when connecting to SonarQube Server.

• get_system_health - Get the health status of SonarQube Server instance. Returns GREEN (fully operational), YELLOW (usable but needs attention), or RED (not operational).

• get_system_info - Get detailed information about SonarQube Server system configuration including JVM state, database, search indexes, and settings. Requires 'Administer' permissions.

• get_system_logs - Get SonarQube Server system logs in plain-text format. Requires system administration permission.

  • name - Optional name of the logs to get. Possible values: access, app, ce, deprecation, es, web. Default: app - String

• ping_system - Ping the SonarQube Server system to check if it's alive. Returns 'pong' as plain text.

• get_system_status - Get state information about SonarQube Server. Returns status (STARTING, UP, DOWN, RESTARTING, DB_MIGRATION_NEEDED, DB_MIGRATION_RUNNING), version, and id.

Webhooks

• create_webhook - Create a new webhook for the SonarQube organization or project. Requires 'Administer' permission on the specified project, or global 'Administer' permission.

  • name - Webhook name - Required String
  • url - Webhook URL - Required String
  • projectKey - Optional project key for project-specific webhook - String
  • secret - Optional webhook secret for securing the webhook payload - String

• list_webhooks - List all webhooks for the SonarQube organization or project. Requires 'Administer' permission on the specified project, or global 'Administer' permission.

  • projectKey - Optional project key to list project-specific webhooks - String

Example Prompts

Once you've set up the SonarQube MCP Server, here are some example prompts for common real-world scenarios:

Fixing a Failing Quality Gate

My quality gate is failing for my project. Can you help me understand why and fix the most critical issues?

The quality gate on my feature branch is red. What do I need to fix to get it passing before I can merge to main?

Pre-Release and Pre-Merge Checks

I'm about to merge my pull request <#247> for the <web-app> project. Can you check if there are any quality issues I should address first?

We're deploying to production tomorrow. Can you check the quality gate status and alert me to any critical issues in this branch?

Improving Code Quality

I want to reduce technical debt in my project. What are the top issues I should prioritize?

Our code coverage dropped below 70%. Can you identify which files have the lowest coverage and help me improve it?

Understanding and Fixing Issues

I have 15 new code smells in my latest commit. Can you explain what they are and help me fix them?

SonarQube flagged a critical security vulnerability in <AuthController.java>. What's the issue and how do I fix it?

Security and Dependency Management

We need to pass a security audit. Can you check all our projects for security vulnerabilities and create a prioritized list of what needs to be fixed?

Are there any known vulnerabilities in our dependencies? Check this project for dependency risks.

Code Review Assistance

I just wrote this authentication function. Can you analyze it for security issues and code quality problems before I commit?

Review the changes in <src/database/migrations> for any potential bugs or security issues.

Project Health Monitoring

Give me a health report for my project: quality gate status, number of bugs, security hotspots, and code coverage.

Compare code quality between our main branch and the develop branch. Are we introducing new issues?

Team Collaboration

What are the most common rule violations across all our projects? We might need to update our coding standards.

Show me all the issues that were marked as false positives in the last month. Are we seeing patterns that suggest our rules need adjustment?

Troubleshooting

Applications logs will be written to the STORAGE_PATH/logs/mcp.log file.

Data and telemetry

This server collects anonymous usage data and sends it to SonarSource to help improve the product. No source code or IP address is collected, and SonarSource does not share the data with anyone else. Collection of telemetry can be disabled with the following system property or environment variable: TELEMETRY_DISABLED=true. Click here to see a sample of the data that are collected.

License

Copyright 2025 SonarSource.

Licensed under the SONAR Source-Available License v1.0. Using the SonarQube MCP Server in compliance with this documentation is a Non-Competitive Purpose and so is allowed under the SSAL.

Your use of SonarQube via MCP is governed by the SonarQube Cloud Terms of Service or SonarQube Server Terms and Conditions, including use of the Results Data solely for your internal software development purposes.