SonarQube MCP server
Sonar's official MCP server brings SonarQube code quality, security, and coverage analysis into your AI agent.
The SonarQube MCP Server is Sonar's official integration that connects an AI agent to SonarQube Cloud, SonarQube Server, and the local SonarQube for IDE analyzers. The agent can run analysis directly on a code snippet or on files in the working directory, then search the resulting issues, security hotspots, and software-composition-analysis dependency risks across your organization's projects. It can pull quality gate status, component measures, metrics, coverage details file by file, and code duplications so the model knows whether a change is shippable.
Beyond reading findings, the agent can change an issue's status, review a security hotspot, fetch raw source and SCM blame, list languages and quality gates, and manage webhooks. An advanced context-augmentation toolset (stdio mode, with the right entitlement) lets the agent trace call flows, inspect type hierarchies, query architecture graphs, and check third-party dependencies for vulnerabilities. The canonical setup runs the published mcp/sonarqube Docker image over stdio, authenticating with a token in SONARQUBE_TOKEN plus either SONARQUBE_ORG for SonarQube Cloud or SONARQUBE_URL for a self-hosted SonarQube Server.
Quick install
Copy-paste configs are provided for all 8 supported clients. Pick your client below.
Add to ~/.claude.json
{
"mcpServers": {
"sonarqube": {
"command": "docker",
"args": [
"run",
"--init",
"--pull=always",
"-i",
"--rm",
"-e",
"SONARQUBE_TOKEN",
"-e",
"SONARQUBE_ORG",
"mcp/sonarqube"
],
"env": {
"SONARQUBE_TOKEN": "<SONARQUBE_TOKEN>",
"SONARQUBE_ORG": "<SONARQUBE_ORG>"
}
}
}
}claude mcp add sonarqube -- docker run --init --pull=always -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG mcp/sonarqubeAvailable tools
| Tool | Description |
|---|---|
| analyze_code_snippet | Analyzes file content with SonarQube analyzers to identify code quality and security issues. |
| analyze_file_list | Analyzes files in the current working directory using SonarQube for IDE. |
| toggle_automatic_analysis | Enables or disables SonarQube for IDE automatic analysis. |
| run_advanced_code_analysis | Runs advanced code analysis on SonarQube Cloud for a single file. |
| search_files_by_coverage | Searches for files in a project sorted by test coverage. |
| get_file_coverage_details | Gets line-by-line coverage information for a specific file. |
| search_dependency_risks | Searches for software composition analysis (SCA) dependency risks. |
| list_enterprises | Lists the enterprises available in SonarQube Cloud. |
| change_sonar_issue_status | Changes the status of a SonarQube issue. |
| search_sonar_issues_in_projects | Searches for SonarQube issues across your organization's projects. |
| search_security_hotspots | Searches for security hotspots in a SonarQube project. |
| show_security_hotspot | Gets detailed information about a specific security hotspot. |
| change_security_hotspot_status | Reviews a security hotspot by changing its status. |
| list_languages | Lists all programming languages supported in this SonarQube instance. |
| get_component_measures | Gets SonarQube measures for a component. |
| search_metrics | Searches for SonarQube metrics. |
| list_portfolios | Lists the enterprise portfolios available in SonarQube. |
| search_my_sonarqube_projects | Finds SonarQube projects you have access to. |
| list_pull_requests | Lists all pull requests for a project. |
| get_project_quality_gate_status | Gets the quality gate status for a SonarQube project. |
| list_quality_gates | Lists all quality gates in your SonarQube instance. |
| show_rule | Shows detailed information about a SonarQube rule. |
| search_duplicated_files | Searches for files with code duplications in a SonarQube project. |
| get_duplications | Gets code duplications for a file. |
| get_raw_source | Gets source code as raw text from SonarQube. |
| get_scm_info | Gets SCM (blame) information for SonarQube source files. |
| get_system_health | Gets the health status of a SonarQube Server instance. |
| get_system_info | Gets detailed SonarQube Server system configuration information. |
| get_system_logs | Gets SonarQube Server system logs in plain text. |
| ping_system | Pings the SonarQube Server system to check if it is alive. |
| get_system_status | Gets state information about a SonarQube Server instance. |
| create_webhook | Creates a new webhook for the SonarQube organization or project. |
| list_webhooks | Lists all webhooks for the SonarQube organization or project. |
| search_by_signature_patterns | Finds code elements by their declaration signatures using regex patterns. |
| search_by_body_patterns | Finds code elements by their implementation body using regex patterns. |
| get_upstream_call_flow | Traces what functions call a given function. |
| get_downstream_call_flow | Traces what functions a given function calls. |
| get_source_code | Gets complete source code for a code element by its fully qualified name. |
| get_type_hierarchy | Gets the full inheritance hierarchy for a class-like structure. |
| get_references | Gets direct inbound and outbound code references for a class or module. |
| get_current_architecture | Gets a hierarchical architecture graph filtered by path prefix and depth. |
| get_intended_architecture | Gets user-defined architectural constraints specifying module dependencies. |
| get_guidelines | Gets coding guidelines derived from a SonarQube project's issues. |
| check_dependency | Checks a third-party dependency for security vulnerabilities. |
Required configuration
- SONARQUBE_TOKENRequired
SonarQube Cloud or Server token used to authenticate API calls.
- SONARQUBE_ORGOptional
Your SonarQube Cloud organization key. Required for SonarQube Cloud.
- SONARQUBE_URLOptional
URL of your SonarQube Server instance. Use instead of SONARQUBE_ORG for self-hosted SonarQube Server; defaults to https://sonarcloud.io.
- STORAGE_PATHOptional
Directory for the server's file storage. Mandatory when running the JAR build instead of Docker.
- SONARQUBE_PROJECT_KEYOptional
Default project key, which removes the project parameter from tool calls.
- SONARQUBE_READ_ONLYOptional
Restricts the server to read-only tools when enabled.
What you can do with it
Gate a change on quality before merge
Before opening a PR, the agent checks the project's quality gate status, coverage, and any new issues introduced, so it only ships code that passes Sonar's bar.
Fix the issues Sonar found
The agent searches open issues and security hotspots in a project, reads the rule explanation, applies a fix in the codebase, then updates the issue status.
FAQ
- Is it free?
- The MCP server is free and open source from SonarSource. It works with your existing SonarQube plan: SonarQube Cloud has a free tier for public projects, and SonarQube Server Community Edition is free to self-host.
- Does it support remote/OAuth?
- No. It runs locally over stdio via the mcp/sonarqube Docker image (or a JAR), authenticating with a token in SONARQUBE_TOKEN; there is no hosted remote endpoint or OAuth flow.
- Does it work with both SonarQube Cloud and self-hosted Server?
- Yes. For SonarQube Cloud set SONARQUBE_TOKEN and SONARQUBE_ORG; for a self-hosted SonarQube Server set SONARQUBE_TOKEN and SONARQUBE_URL pointing at your instance.