Do either of these support a remote OAuth endpoint?

No. Both run locally over stdio. Snyk's server is part of the Snyk CLI (snyk mcp -t stdio, with SSE also available) and reuses your CLI login or a SNYK_TOKEN. SonarQube's runs via the mcp/sonarqube Docker image with a SONARQUBE_TOKEN plus SONARQUBE_ORG (Cloud) or SONARQUBE_URL (self-hosted Server); neither uses OAuth.

Do they overlap, or should I run both?

They overlap on software composition analysis (dependency risk) and security hotspots, but the emphasis differs: Snyk is security-first across dependencies, code, containers, IaC, and secrets, while SonarQube is quality-first with security hotspots and SCA layered in. Many teams run both — Snyk as a supply-chain security scanner and SonarQube as a quality gate.

Snyk vs SonarQube

Snyk MCP and SonarQube MCP both bring code analysis into an agentic workflow, but they come at code health from different directions. Snyk's server, shipped inside the Snyk CLI, is developer-security-first: an agent runs software composition analysis on open-source dependencies and licenses, static application security testing on first-party code, container image scans, Infrastructure-as-Code misconfiguration scans, secret detection, and SBOM analysis, plus package-health and upgrade-breakability checks. It runs locally over stdio (snyk mcp -t stdio, or npx -y snyk@latest mcp -t stdio) and reuses your Snyk CLI login or a SNYK_TOKEN. SonarQube's server from Sonar is code-quality-first: an agent analyzes snippets or working-directory files, then searches issues, security hotspots, and SCA dependency risks across projects, reads quality-gate status, coverage, measures, and duplications, and — with an advanced toolset — traces call flows and architecture. It runs over stdio via the mcp/sonarqube Docker image against SonarQube Cloud or a self-hosted Server. Here is a fair look at how they differ.

How they compare

Dimension	Snyk	SonarQube
Primary focus	Developer security: known vulnerabilities and license risks across dependencies, code, containers, IaC, secrets, and SBOMs.	Code quality and maintainability, with security hotspots and SCA: issues, quality gates, coverage, measures, and duplications.
What it scans	Open-source dependencies (SCA), first-party code (SAST), container images, IaC files, secrets, and existing SBOMs — broad supply-chain coverage.	Source code for quality and security issues, plus coverage, duplications, dependency risks, and architecture/call-flow with the advanced toolset.
Deployment and auth	Local stdio as part of the Snyk CLI (snyk mcp -t stdio or via npx); reuses the Snyk CLI login or a SNYK_TOKEN; SSE transport also supported.	Local stdio via the mcp/sonarqube Docker image; SONARQUBE_TOKEN plus SONARQUBE_ORG (Cloud) or SONARQUBE_URL (self-hosted Server). No OAuth.
Gate vs. fix posture	Inline guardrail: scan a change as it is generated, surface vulnerabilities and license issues, and fix before commit.	Merge gate: check quality-gate status, coverage, and new issues before a PR, then search issues and hotspots and update their status after fixing.
Best-fit task	Catching vulnerabilities the moment code or a dependency is added, and scanning containers and IaC before shipping.	Ensuring a change is shippable against your quality bar — coverage, duplications, hotspots — and fixing the issues SonarQube already tracks.

Verdict

Pick by whether your priority is security or overall code quality — and note the two overlap on SCA and hotspots, so many teams run both. Reach for Snyk MCP when the goal is developer security: scanning open-source dependencies, first-party code, containers, IaC, and secrets for vulnerabilities and license risk as code is written, acting as an inline guardrail before commit. Reach for SonarQube MCP when the goal is code quality and shippability: checking the quality gate, coverage, duplications, and new issues before a PR, then fixing the issues and hotspots Sonar tracks across your projects — with the advanced toolset adding call-flow and architecture awareness. In short: Snyk if you want a security scanner across the supply chain; SonarQube if you want a quality gate plus security hotspots tied to your projects. Both run locally over stdio with token auth, so they slot side by side in a CI-minded agent loop.

FAQ

Do either of these support a remote OAuth endpoint?: No. Both run locally over stdio. Snyk's server is part of the Snyk CLI (snyk mcp -t stdio, with SSE also available) and reuses your CLI login or a SNYK_TOKEN. SonarQube's runs via the mcp/sonarqube Docker image with a SONARQUBE_TOKEN plus SONARQUBE_ORG (Cloud) or SONARQUBE_URL (self-hosted Server); neither uses OAuth.
Do they overlap, or should I run both?: They overlap on software composition analysis (dependency risk) and security hotspots, but the emphasis differs: Snyk is security-first across dependencies, code, containers, IaC, and secrets, while SonarQube is quality-first with security hotspots and SCA layered in. Many teams run both — Snyk as a supply-chain security scanner and SonarQube as a quality gate.