SonarQube for code review
For code review, SonarQube is our third pick of four, and it plays a supporting role rather than the lead. The review platform that holds the pull request comes first; SonarQube adds the maintainability, coverage, and security signals that turn a review from opinion into evidence. Sonar's official server brings that analysis into the agent.
GitHub and GitLab rank ahead because they hold the diff and the discussion an agent has to read to review anything. Semgrep adds fast pattern-based findings. SonarQube's contribution is the quality layer: code smells, coverage gaps, and hotspots attached to the change.
How SonarQube fits
The tools that fit review work are analyze_code_snippet and analyze_file_list, which run analyzers over the changed content or working directory so the agent has fresh findings on the diff under review. search_sonar_issues_in_projects surfaces existing issues in the affected area, and get_file_coverage_details with search_files_by_coverage tell the agent whether the change touches under-tested code, a reviewer's question that opinion alone cannot answer. search_security_hotspots and show_security_hotspot flag risky patterns, and change_sonar_issue_status lets the agent resolve or confirm a finding as part of the review.
The honest limit: SonarQube does not see the pull request, the diff context, or the review thread. Reading the change and its discussion is GitHub's job, our top pick, with GitLab covering GitLab-hosted reviews. Semgrep, the second pick, gives faster custom-rule findings on the patterns you care about. SonarQube earns its place by grounding the review in coverage and maintainability data; pair it with GitHub or GitLab for the diff and Semgrep for quick pattern checks.
Tools you would use
| Tool | What it does |
|---|---|
| analyze_code_snippet | Analyzes file content with SonarQube analyzers to identify code quality and security issues. |
| analyze_file_list | Analyzes files in the current working directory using SonarQube for IDE. |
| toggle_automatic_analysis | Enables or disables SonarQube for IDE automatic analysis. |
| run_advanced_code_analysis | Runs advanced code analysis on SonarQube Cloud for a single file. |
| search_files_by_coverage | Searches for files in a project sorted by test coverage. |
| get_file_coverage_details | Gets line-by-line coverage information for a specific file. |
| search_dependency_risks | Searches for software composition analysis (SCA) dependency risks. |
| list_enterprises | Lists the enterprises available in SonarQube Cloud. |
| change_sonar_issue_status | Changes the status of a SonarQube issue. |
| search_sonar_issues_in_projects | Searches for SonarQube issues across your organization's projects. |
FAQ
- Can SonarQube read the pull request being reviewed?
- No. It analyzes code and reports issues, coverage, and hotspots, but it does not hold the diff or the review thread. GitHub (the top pick) or GitLab provides that context; SonarQube layers quality signals onto the change.
- What does SonarQube add to a code review that GitHub does not?
- Quality evidence. analyze_file_list runs analyzers on the change, get_file_coverage_details shows whether it touches under-tested code, and search_security_hotspots flags risky patterns, so the review rests on coverage and maintainability data rather than reviewer judgment alone.