Skip to content

SonarSource/sonarqube-mcp-server

BranchesTags

Repository files navigation

SonarQube MCP Server

Build Quality Gate Status

The SonarQube MCP Server is a Model Context Protocol (MCP) server that enables seamless integration with SonarQube Server or Cloud for code quality and security. It also supports the analysis of code snippet directly within the agent context.

Quick setup

The simplest method is to rely on our Docker image hosted at mcp/sonarqube. Read below if you want to build it locally.

Claude Code

  • To connect with SonarQube Cloud:

claude mcp add sonarqube --env SONARQUBE_TOKEN=<token> --env SONARQUBE_ORG=<org> -- docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG mcp/sonarqube

  • To connect with SonarQube Server:

claude mcp add sonarqube --env SONARQUBE_TOKEN=<token> --env SONARQUBE_URL=<url> -- docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_URL mcp/sonarqube

Codex CLI

In ~/.codex/config.toml, add the following configuration:

  • To connect with SonarQube Cloud:
[mcp_servers.sonarqube]
command = "docker"
args = ["run", "--rm", "-i", "-e", "SONARQUBE_TOKEN", "-e", "SONARQUBE_ORG", "mcp/sonarqube"]
env = { "SONARQUBE_TOKEN" = "<YOUR_USER_TOKEN>", "SONARQUBE_ORG" = "<YOUR_ORG>" }
  • To connect with SonarQube Server:
[mcp_servers.sonarqube]
command = "docker"
args = ["run", "--rm", "-i", "-e", "SONARQUBE_TOKEN", "-e", "SONARQUBE_URL", "mcp/sonarqube"]
env = { "SONARQUBE_TOKEN" = "<YOUR_TOKEN>", "SONARQUBE_URL" = "<YOUR_SERVER_URL>" }

Cursor

  • To connect with SonarQube Cloud:

Install for SonarQube Cloud

  • To connect with SonarQube Server:

Install for SonarQube Server

Gemini CLI

You can install our MCP server extension by using the following command:

gemini extensions install https://github.com/SonarSource/sonarqube-mcp-server

You will need to set the required environment variables before starting Gemini:

SONARQUBE_TOKEN="<token>"
SONARQUBE_ORG="<org>" // For SonarQube Cloud, empty otherwise
SONARQUBE_URL="<url>" // For SonarQube Server, empty otherwise

Once installed, the extension will be installed under <home>/.gemini/extensions/sonarqube-mcp-server/gemini-extension.json.

GitHub Copilot CLI

After starting Copilot CLI, run the following command to add the SonarQube MCP server:

/mcp add

You will have to provide different information about the MCP server, you can use tab to navigate between fields.

  • To connect with SonarQube Cloud:
Server Name: sonarqube
Server Type: Local (Press 1)
Command: docker
Arguments: run, --rm, -i, -e, SONARQUBE_TOKEN, -e, SONARQUBE_ORG, mcp/sonarqube
Environment Variables: SONARQUBE_TOKEN=<YOUR_TOKEN>,SONARQUBE_ORG=<YOUR_ORG>
Tools: *
  • To connect with SonarQube Server:
Server Name: sonarqube
Server Type: Local (Press 1)
Command: docker
Arguments: run, --rm, -i, -e, SONARQUBE_TOKEN, -e, SONARQUBE_ORG, mcp/sonarqube
Environment Variables: SONARQUBE_TOKEN=<YOUR_USER_TOKEN>,SONARQUBE_URL=<YOUR_SERVER_URL>
Tools: *

The configuration file is located at ~/.copilot/mcp-config.json.

GitHub Copilot coding agent

GitHub Copilot coding agent can leverage the SonarQube MCP server directly in your CI/CD.

To add the secrets to your Copilot environment, follow the Copilot documentation. Only secrets with names prefixed with COPILOT_MCP_ will be available to your MCP configuration.

In your GitHub repository, navigate under Settings -> Code & automation -> Copilot -> Coding agent, and add the following configuration in the MCP configuration section:

  • To connect with SonarQube Cloud:
{
  "mcpServers": {
    "sonarqube": {
      "type": "local",
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-e",
        "SONARQUBE_TOKEN=$SONAR_TOKEN",
        "-e",
        "SONARQUBE_ORG=$SONAR_ORG",
        "mcp/sonarqube"
      ],
      "env": {
        "SONAR_TOKEN": "COPILOT_MCP_SONARQUBE_TOKEN",
        "SONAR_ORG": "COPILOT_MCP_SONARQUBE_ORG"
      },
      "tools": ["*"]
    }
  }
}
  • To connect with SonarQube Server:
{
  "mcpServers": {
    "sonarqube": {
      "type": "local",
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-e",
        "SONARQUBE_TOKEN=$SONAR_TOKEN",
        "-e",
        "SONARQUBE_URL=$SONAR_URL",
        "mcp/sonarqube"
      ],
      "env": {
        "SONAR_TOKEN": "COPILOT_MCP_SONARQUBE_USER_TOKEN",
        "SONAR_URL": "COPILOT_MCP_SONARQUBE_URL"
      },
      "tools": ["*"]
    }
  }
}

Kiro

Create a .kiro/settings/mcp.json file in your workspace directory (or edit if it already exists), add the following configuration:

  • To connect with SonarQube Cloud:
{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e", 
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<YOUR_TOKEN>",
        "SONARQUBE_ORG": "<YOUR_ORG>"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}
  • To connect with SonarQube Server:
{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e", 
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_URL",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<YOUR_USER_TOKEN>",
        "SONARQUBE_URL": "<YOUR_SERVER_URL>"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

VS Code

You can use the following buttons to simplify the installation process within VS Code.

Install for SonarQube Cloud

Install for SonarQube Server

Windsurf

SonarQube MCP Server is available as a Windsurf plugin. Follow these instructions:

  1. Click on the Plugins button at the top right of the Cascade view
  2. Search for sonarqube on the Plugin store
  3. Click Install
  4. Add the required SonarQube token. Then add the organization key if you want to connect with SonarQube Cloud, or the SonarQube URL if you want to connect to SonarQube Server or Community Build.

Zed

Navigate to the Extensions view in Zed and search for SonarQube MCP Server. When installing the extension, you will be prompted to provide the necessary environment variables:

  • When using SonarQube Cloud:
{
  "sonarqube_token": "YOUR_SONARQUBE_TOKEN",
  "sonarqube_org": "SONARQUBE_ORGANIZATION_KEY",
  "docker_path": "DOCKER_PATH"
}
  • When using SonarQube Server:
{
  "sonarqube_token": "YOUR_SONARQUBE_USER_TOKEN",
  "sonarqube_url": "YOUR_SONARQUBE_SERVER_URL",
  "docker_path": "DOCKER_PATH"
}

The docker_path is the path to a docker executable. Examples:

Linux/macOS: /usr/bin/docker or /usr/local/bin/docker

Windows: C:\Program Files\Docker\Docker\resources\bin\docker.exe

Manual installation

You can manually install the SonarQube MCP server by copying the following snippet in the MCP servers configuration file:

  • To connect with SonarQube Cloud:
{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_ORG",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>"
    }
  }
}
  • To connect with SonarQube Server:
{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_URL",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_URL": "<url>"
    }
  }
}

Integration with SonarQube for IDE

The SonarQube MCP Server can integrate with SonarQube for IDE to further enhance your development workflow, providing better code analysis and insights directly within your IDE.

When using SonarQube for IDE, the SONARQUBE_IDE_PORT environment variable should be set with the correct port number. For example, with SonarQube Cloud:

{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_ORG",
      "-e",
      "SONARQUBE_IDE_PORT",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>",
      "SONARQUBE_IDE_PORT": "<64120-64130>"
    }
  }
}

Build

SonarQube MCP Server requires a Java Development Kit (JDK) version 21 or later to build.

Run the following Gradle command to clean the project and build the application:

./gradlew clean build -x test

The JAR file will be created in build/libs/.

You will then need to manually copy and paste the MCP configuration, as follows:

  • To connect with SonarQube Cloud:
{
  "sonarqube": {
    "command": "java",
    "args": [
      "-jar",
      "<path_to_sonarqube_mcp_server_jar>"
    ],
    "env": {
      "STORAGE_PATH": "<path_to_your_mcp_storage>",
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_ORG": "<org>"
    }
  }
}
  • To connect with SonarQube Server:
{
  "sonarqube": {
    "command": "java",
    "args": [
      "-jar",
      "<path_to_sonarqube_mcp_server_jar>"
    ],
    "env": {
      "STORAGE_PATH": "<path_to_your_mcp_storage>",
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_URL": "<url>"
    }
  }
}

Configuration

Depending on your environment, you should provide specific environment variables.

Base

You should add the following variable when running the MCP Server:

Environment variable Description
STORAGE_PATH Mandatory absolute path to a writable directory where SonarQube MCP Server will store its files (e.g., for creation, updates, and persistence), it is automatically provided when using Docker
SONARQUBE_IDE_PORT Optional port number between 64120 and 64130 used to connect SonarQube MCP Server with SonarQube for IDE.

SonarQube Cloud

To enable full functionality, the following environment variables must be set before starting the server:

Environment variable Description
SONARQUBE_TOKEN Your SonarQube Cloud token
SONARQUBE_ORG Your SonarQube Cloud organization key

SonarQube Server

Environment variable Description
SONARQUBE_TOKEN Your SonarQube Server USER token
SONARQUBE_URL Your SonarQube Server URL

Custom Certificates

If your SonarQube Server uses a self-signed certificate or a certificate from a private Certificate Authority (CA), you can add custom certificates to the Docker container that will automatically be installed.

Using Docker Volume Mount

Mount a directory containing your certificates when running the container:

docker run -i --rm \
  -v /path/to/your/certificates/:/usr/local/share/ca-certificates/:ro \
  -e SONARQUBE_TOKEN="<token>" \
  -e SONARQUBE_URL="<url>" \
  mcp/sonarqube

Supported Certificate Formats

The container supports the following certificate formats:

  • .crt files (PEM or DER encoded)
  • .pem files (PEM encoded)

MCP Configuration with Certificates

When using custom certificates, you can modify your MCP configuration to mount the certificates:

{
  "sonarqube": {
    "command": "docker",
    "args": [
      "run",
      "-i",
      "--rm",
      "-v",
      "/path/to/your/certificates/:/usr/local/share/ca-certificates/:ro",
      "-e",
      "SONARQUBE_TOKEN",
      "-e",
      "SONARQUBE_URL",
      "mcp/sonarqube"
    ],
    "env": {
      "SONARQUBE_TOKEN": "<token>",
      "SONARQUBE_URL": "<url>"
    }
  }
}

Tools

Analysis

  • analyze_code_snippet - Analyze a file or code snippet with SonarQube analyzers to identify code quality and security issues. Specify the language of the snippet to improve analysis accuracy.
    • codeSnippet - Code snippet or full file content - Required String
    • language - Optional language of the code snippet - String

When integration with SonarQube for IDE is enabled:

  • analyze_file_list - Analyze files in the current working directory using SonarQube for IDE. This tool connects to a running SonarQube for IDE instance to perform code quality analysis on a list of files.

    • file_absolute_paths - List of absolute file paths to analyze - Required String[]

  • toggle_automatic_analysis - Enable or disable SonarQube for IDE automatic analysis. When enabled, SonarQube for IDE will automatically analyze files as they are modified in the working directory. When disabled, automatic analysis is turned off.

    • enabled - Enable or disable the automatic analysis - Required Boolean

Dependency Risks

Note: Dependency risks are only available when connecting to SonarQube Server 2025.4 Enterprise or higher with SonarQube Advanced Security enabled.

  • search_dependency_risks - Search for software composition analysis issues (dependency risks) of a SonarQube project, paired with releases that appear in the analyzed project, application, or portfolio.
    • projectKey - Project key - String
    • branchKey - Optional branch key - String
    • pullRequestKey - Optional pull request key - String

Enterprises

Note: Enterprises are only available when connecting to SonarQube Cloud.

  • list_enterprises - List the enterprises available in SonarQube Cloud that you have access to. Use this tool to discover enterprise IDs that can be used with other tools.
    • enterpriseKey - Optional enterprise key to filter results - String

Issues

  • change_sonar_issue_status - Change the status of a SonarQube issue to "accept", "falsepositive" or to "reopen" an issue.

    • key - Issue key - Required String
    • status - New issue's status - Required Enum {"accept", "falsepositive", "reopen"}

  • search_sonar_issues_in_projects - Search for SonarQube issues in my organization's projects.

    • projects - Optional list of Sonar projects - String[]
    • pullRequestId - Optional Pull Request's identifier - String
    • severities - Optional list of severities to filter by. Possible values: INFO, LOW, MEDIUM, HIGH, BLOCKER - String[]
    • p - Optional page number (default: 1) - Integer
    • ps - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer

Languages

  • list_languages - List all programming languages supported in this SonarQube instance.
    • q - Optional pattern to match language keys/names against - String

Measures

  • get_component_measures - Get SonarQube measures for a component (project, directory, file).
    • component - Optional component key to get measures for - String
    • branch - Optional branch to analyze for measures - String
    • metricKeys - Optional metric keys to retrieve (e.g. nloc, complexity, violations, coverage) - String[]
    • pullRequest - Optional pull request identifier to analyze for measures - String

Metrics

  • search_metrics - Search for SonarQube metrics.
    • p - Optional page number (default: 1) - Integer
    • ps - Optional page size. Must be greater than 0 and less than or equal to 500 (default: 100) - Integer

Portfolios

  • list_portfolios - List enterprise portfolios available in SonarQube with filtering and pagination options.

    For SonarQube Server:

    • q - Optional search query to filter portfolios by name or key - String
    • favorite - If true, only returns favorite portfolios - Boolean
    • pageIndex - Optional 1-based page number (default: 1) - Integer
    • pageSize - Optional page size, max 500 (default: 100) - Integer

    For SonarQube Cloud:

    • enterpriseId - Enterprise uuid. Can be omitted only if 'favorite' parameter is supplied with value true - String
    • q - Optional search query to filter portfolios by name - String
    • favorite - Required to be true if 'enterpriseId' parameter is omitted. If true, only returns portfolios favorited by the logged-in user. Cannot be true when 'draft' is true - Boolean
    • draft - If true, only returns drafts created by the logged-in user. Cannot be true when 'favorite' is true - Boolean
    • pageIndex - Optional index of the page to fetch (default: 1) - Integer
    • pageSize - Optional size of the page to fetch (default: 50) - Integer

Projects

  • search_my_sonarqube_projects - Find SonarQube projects. The response is paginated.
    • page - Optional page number - String

Quality Gates

  • get_project_quality_gate_status - Get the Quality Gate Status for the SonarQube project.

    • analysisId - Optional analysis ID - String
    • branch - Optional branch key - String
    • projectId - Optional project ID - String
    • projectKey - Optional project key - String
    • pullRequest - Optional pull request ID - String

  • list_quality_gates - List all quality gates in my SonarQube.

Rules

  • list_rule_repositories - List rule repositories available in SonarQube.

    • language - Optional language key - String
    • q - Optional search query - String

  • show_rule - Shows detailed information about a SonarQube rule.

    • key - Rule key - Required String

Sources

  • get_raw_source - Get source code as raw text from SonarQube. Require 'See Source Code' permission on file.

    • key - File key - Required String
    • branch - Optional branch key - String
    • pullRequest - Optional pull request id - String

  • get_scm_info - Get SCM information of SonarQube source files. Require See Source Code permission on file's project.

    • key - File key - Required String
    • commits_by_line - Group lines by SCM commit if value is false, else display commits for each line - String
    • from - First line to return. Starts at 1 - Number
    • to - Last line to return (inclusive) - Number

System

Note: System tools are only available when connecting to SonarQube Server.

  • get_system_health - Get the health status of SonarQube Server instance. Returns GREEN (fully operational), YELLOW (usable but needs attention), or RED (not operational).

  • get_system_info - Get detailed information about SonarQube Server system configuration including JVM state, database, search indexes, and settings. Requires 'Administer' permissions.

  • get_system_logs - Get SonarQube Server system logs in plain-text format. Requires system administration permission.

    • name - Optional name of the logs to get. Possible values: access, app, ce, deprecation, es, web. Default: app - String

  • ping_system - Ping the SonarQube Server system to check if it's alive. Returns 'pong' as plain text.

  • get_system_status - Get state information about SonarQube Server. Returns status (STARTING, UP, DOWN, RESTARTING, DB_MIGRATION_NEEDED, DB_MIGRATION_RUNNING), version, and id.

Webhooks

  • create_webhook - Create a new webhook for the SonarQube organization or project. Requires 'Administer' permission on the specified project, or global 'Administer' permission.

    • name - Webhook name - Required String
    • url - Webhook URL - Required String
    • projectKey - Optional project key for project-specific webhook - String
    • secret - Optional webhook secret for securing the webhook payload - String

  • list_webhooks - List all webhooks for the SonarQube organization or project. Requires 'Administer' permission on the specified project, or global 'Administer' permission.

    • projectKey - Optional project key to list project-specific webhooks - String

Troubleshooting

Applications logs will be written to the STORAGE_PATH/logs/mcp.log file.

Data and telemetry

This server collects anonymous usage data and sends it to SonarSource to help improve the product. No source code or IP address is collected, and SonarSource does not share the data with anyone else. Collection of telemetry can be disabled with the following system property or environment variable: TELEMETRY_DISABLED=true. Click here to see a sample of the data that are collected.

License

Copyright 2025 SonarSource.

Licensed under the SONAR Source-Available License v1.0

About

SonarQube MCP Server

Resources

Readme

License

View license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

103 stars

Watchers

14 watching

Forks

7 forks
Report repository

Releases 8

0.0.8.1353 Latest
Sep 17, 2025
+ 7 releases

Packages

No packages published

Contributors 6

Languages