sonarqube-mcp
Supports SonarCloud via the SONARQUBE_ORGANIZATION environment variable, allowing the same SonarQube tools to work with SonarCloud projects.
Provides tools to interact with SonarQube, enabling AI agents to search projects, check quality gates, retrieve measures (bugs, smells, coverage, ratings), list issues, view security hotspots, explore rules, and view source code.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@sonarqube-mcplist open issues sorted by severity"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
sonarqube-mcp
An MCP server that exposes SonarQube data as AI agent tools. 43 tools — the most comprehensive SonarQube MCP implementation available. Covers projects, issues, quality gates, hotspots, coverage, SCM, webhooks, metrics history, worst-metric ranking, project introspection, and composite workflow tools.
Dogfooding: this project is checked via its own tools.
Works with any SonarQube edition — Cloud, Developer, Enterprise, and Community Edition on localhost. No Docker/JVM needed, starts in ~0.1s.
Quick start
Pin to a specific version:
["npx", "-y", "github:metalralf/sonarqube-mcp#1.7.0"]
Omit#1.7.0for the latest (unstable) development version.
Minimum config (3 required env vars)
Claude Desktop / VS Code MCP / Cursor / any MCP client:
{
"mcpServers": {
"sonarqube": {
"command": "npx",
"args": ["-y", "github:metalralf/sonarqube-mcp#1.7.0"],
"env": {
"SONARQUBE_URL": "http://localhost:9000",
"SONARQUBE_TOKEN": "squ_...",
"SONARQUBE_PROJECT": "my_project"
}
}
}
}opencode (uses mcp key instead of mcpServers):
{
"mcp": {
"sonarqube": {
"type": "local",
"command": ["npx", "-y", "github:metalralf/sonarqube-mcp#1.7.0"],
"enabled": true,
"environment": {
"SONARQUBE_URL": "http://localhost:9000",
"SONARQUBE_TOKEN": "squ_...",
"SONARQUBE_PROJECT": "my_project"
}
}
}
}Full config (all options)
{
"mcpServers": {
"sonarqube": {
"command": "npx",
"args": ["-y", "github:metalralf/sonarqube-mcp"],
"env": {
"SONARQUBE_URL": "http://localhost:9000",
"SONARQUBE_TOKEN": "squ_...",
"SONARQUBE_PROJECT": "my_project",
"SONARQUBE_TOOLSETS": "issues,quality",
"SONARQUBE_READ_ONLY": "false",
"SONARQUBE_TRANSPORT": "stdio",
"SONARQUBE_AUTH_SCHEME": "basic",
"SONARQUBE_ORGANIZATION": "",
"SONARQUBE_HTTP_HOST": "127.0.0.1",
"SONARQUBE_HTTP_PORT": "8080",
"SONARQUBE_HTTP_ALLOWED_ORIGINS": "*",
"SONARQUBE_DISABLE_DOCKER": "false",
"SONARQUBE_DOCKER_IMAGE": "sonarsource/sonar-scanner-cli",
"SONARQUBE_DOCKER_FLAGS": "--network=host",
"SONARQUBE_DOCKER_MOUNT_PATH": "/usr/src",
"SONARQUBE_SCANNER_TIMEOUT": "300000",
"SONARQUBE_API_TIMEOUT": "5000",
"SONARQUBE_SOURCE_CONTEXT": "2"
}
}
}
}Related MCP server: sonarqube-mcp
Tools (43)
Composite / Workflow (8 tools)
Tool | Purpose |
| One-shot: QG + measures + issues + hotspots + worst files + branches |
| Analyze + build + full report in 1 call |
| File-level issues + source context |
| New issues since last analysis + project context |
| Fix → rebuild → re-analyze → verify issue resolved |
| One-call file review: issues + source + coverage + duplications |
| Detect config → run analysis → project report (full happy path) |
| Batch-execute tools in linear order (capped at 25, consecutive-dedupe) |
Discovery & Status (7 tools)
Tool | Purpose |
| Discover all project keys |
| Deep-dive: name, description, URL, analysis date |
| Create a new project via MCP |
| Full lifecycle check (reachable → exists → analyzed) |
| One-call: QG + metrics + issues + branches |
| Server health → |
| Escape hatch with 4xx hints |
Quality Gates & Measures (4 tools)
Tool | Purpose |
| Pass/fail + each failing condition |
| All gates with conditions |
| Bugs, smells, coverage, ratings, ncloc, dup |
| Browse all 155 metric definitions |
Issues (5 tools)
Tool | Purpose |
| Full search with |
| Aggregated counts by severity/type/effort |
| Zero-tolerance delta since last analysis |
| confirm / falsepositive / wontfix / resolve |
| Transition many issues at once |
Security Hotspots (3 tools)
Tool | Purpose |
| Search with automatic token-type check |
| Rule, code context, flows, comments |
| REVIEWED with FIXED/SAFE/ACKNOWLEDGED |
Source & SCM (3 tools)
Tool | Purpose |
| Source lines with optional |
| Git blame per line (author, date, revision) |
| Rule explanation with remediation |
Branches & Pull Requests (2 tools)
Tool | Purpose |
| Branches with dates and QG status |
| PR listing (requires Developer Edition+) |
Coverage (2 tools)
Tool | Purpose |
| Files below coverage threshold |
| Per-file: line%, condition%, uncovered lines |
Duplications (2 tools)
Tool | Purpose |
| Files above duplication threshold |
| Duplicate blocks grouped by file |
Analysis & Metrics (3 tools)
Tool | Purpose |
| Coverage/code-smell trend over time (1-365 days) |
| Rank files by worst coverage, dup, complexity |
| Metric definitions with domain, type, direction |
Administration (5 tools)
Tool | Purpose |
| Verify CI/CD integration |
| All 27 supported languages |
| Inspect project dir → suggest sources/tests/exclusions/coverage/build-tool |
| Auto-install sonar-scanner (pnpm/yarn/npm) |
| Full scan from the agent |
Supported Languages
Analysis and detection for all major languages — including C# (which the official SonarQube MCP server's code analysis does not support).
Language | SQ key | Detection | Coverage |
JavaScript |
|
|
|
TypeScript |
|
|
|
Python |
|
|
|
Java |
|
|
|
Kotlin |
|
|
|
Go |
|
|
|
C# |
|
|
|
PHP |
|
| — |
Ruby |
|
| — |
Rust |
|
| — |
Swift |
|
| — |
Scala |
|
| — |
CSS |
|
| — |
HTML |
|
| — |
Docker |
|
| — |
Terraform |
|
| — |
Kubernetes |
|
| — |
CloudFormation |
|
| — |
XML / YAML / JSON / Shell / SQL | various |
| — |
Configuration
Environment variables
All configuration is via env vars. None are required at module scope — they're read lazily at call time.
Connection
Env var | Default | Description |
|
| SonarQube server base URL |
| — | Auth token. Hotspots need |
| — | Default project key for tools that accept |
| — | SonarCloud organization key |
|
|
|
Transport
Env var | Default | Description |
|
|
|
|
| HTTP bind address (transport=http only) |
|
| HTTP port (transport=http only) |
Scanner
Env var | Default | Description |
|
|
|
|
| Scanner Docker image (air-gapped registries) |
|
| Extra Docker run flags. Set |
|
| Scanner timeout in ms |
|
| Health check fetch timeout in ms |
|
| Lines of source context around issues |
|
| Log verbosity: |
|
| Container mount target for project dir |
Toolset
Env var | Default | Description |
| all | Comma-separated categories: |
|
|
|
Toolset filtering
Category | Tools included |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"environment": { "SONARQUBE_TOOLSETS": "issues,quality" }Read-only mode
SONARQUBE_READ_ONLY=true disables: sonar_set_issue_status, sonar_change_hotspot_status, sonar_run_analysis, sonar_setup_scanner.
HTTP transport
Set SONARQUBE_TRANSPORT=http for REST API access:
"environment": { "SONARQUBE_TRANSPORT": "http", "SONARQUBE_HTTP_PORT": "8080" }Endpoint | Method | Description |
| GET | Health check |
| GET | List tools |
| POST | Execute a tool |
curl -X POST http://localhost:8080/tools/sonar_ping -H 'Content-Type: application/json' -d '{}'
curl -X POST http://localhost:8080/tools/sonar_issues -H 'Content-Type: application/json' -d '{"projectKey":"my_project","compact":true}'Deployment
Docker Compose (quick start)
cp .env.example .env
# edit .env with your SonarQube credentials
docker compose up --buildThe server runs at http://localhost:8080. Configure SONARQUBE_READ_ONLY=true for team deployments. Set SONARQUBE_HTTP_ALLOWED_ORIGINS for CORS-enabled web clients.
Kubernetes (Helm)
# With inline token
helm install sonarqube-mcp ./charts/sonarqube-mcp \
--set sonarqubeUrl=http://sonarqube:9000 \
--set sonarqubeToken=squ_...
# With an existing Secret
kubectl create secret generic sq-token --from-literal=SONARQUBE_TOKEN=squ_...
helm install sonarqube-mcp ./charts/sonarqube-mcp \
--set sonarqubeUrl=http://sonarqube:9000 \
--set existingSecret=sq-tokenDocker build (manual)
docker build -t sonarqube-mcp .
docker run --rm -e SONARQUBE_URL=http://localhost:9000 -e SONARQUBE_TOKEN=squ_... sonarqube-mcpAgent usage guidelines
sonar_analysis_status— check project state firstsonar_summary— full picture in one callsonar_ping— quick health checksonar_quality_gate— pass/fail + failing conditionssonar_list_quality_gates— browse available gatessonar_measures— drill into metricssonar_worst_metrics— find problematic filessonar_list_branches/sonar_list_pull_requests— pick branch/PRsonar_issues— search with filters, compact modesonar_issues_summary— quick countssonar_new_issues— delta since last analysissonar_metrics_history— coverage/code-smell trendssonar_rule— explain any rulesonar_source/sonar_scm_info— source + git blamesonar_hotspots— security reviewsonar_hotspot_details— drill into hotspotsonar_change_hotspot_status— mark reviewedsonar_coverage_files— find under-tested filessonar_file_coverage_details— per-file coveragesonar_search_duplicated_files/sonar_duplications— find/fix dupsonar_issues_bulk_transition— batch status changessonar_set_issue_status— mark resolvedsonar_run_analysis— confirm fixes
Token types
Type | Prefix | Hotspots? |
User token |
| ✅ |
Project analysis |
| ❌ 403 |
Global analysis |
| ❌ 403 |
Local development setup
git clone <repo>
cd sonarqube-mcp
pnpm install
# Run from local checkout:
node src/index.mjsBranch workflow
Branch | Purpose | Version |
| Stable releases | Tagged ( |
| Daily development |
|
| New tools/features | — |
Version bumps
Change | Bump | Example |
1-2 small tools, fixes |
|
|
3+ new tools, features |
|
|
Breaking changes |
|
|
Setting up SonarQube locally
docker run -d --name sonarqube -p 9000:9000 sonarqube:communityOpen http://localhost:9000, log in with admin/admin, generate a token.
Create sonar-project.properties:
sonar.host.url=http://localhost:9000
sonar.projectKey=my_project
sonar.sources=src
sonar.javascript.lcov.reportPaths=coverage/lcov.infoRun:
pnpm exec sonar-scanner -Dsonar.token=squ_...Ecosystem Comparison
What makes this project unique
Features no other SonarQube MCP implementation has:
Compact mode — strips verbose fields for LLM token efficiency
Issue delta —
sonar_new_issuessince last analysisMetric history / trends — coverage and code-smell trajectory
Worst-metric ranking — find files with worst coverage, highest duplication
Bulk issue transitions — transition many issues at once
Project creation — create SonarQube projects via MCP
Run scanner from agent —
sonar_run_analysiswithout leaving the chatSource coverage highlights — mark untested lines in source view
Aggregated summary — single-call project health
Array parameter support — pass severities/types as arrays or strings
Zero Docker, zero JVM — Node.js, starts in ~0.1s
vs Official mcp/sonarqube
Aspect | Official (SonarSource) | Ours |
Runtime | Java + Docker (~500MB image) | Node.js (~0.1s start, no Docker) |
Edition support | Cloud / Developer / Enterprise | All including Community |
Distribution | Docker Hub |
|
Unique to us | — | compact mode, delta issues, trend data, worst-metrics, bulk transitions, project creation, coverage highlights, array params |
Unique to official |
| — |
Choose official if you need inline code analysis, IDE integration, or run on Cloud/Enterprise. Choose ours if you're on Community Edition, want zero-overhead startup, or need the unique tools above.
Compatibility
Works with all SonarQube editions. sonar_list_pull_requests requires Developer Edition+.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/metalralf/sonarqube-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server