/ Directory / Playground / SonarQube MCP
← All servers ↗ GitHub
● Official SonarSource 🔑 Needs your key

SonarQube MCP

by SonarSource · SonarSource/sonarqube-mcp-server

Sonar's static analysis findings, in Claude's hands — fix issues by file and rule, not by skimming a dashboard.

sonarqube-mcp-server is the official MCP for SonarQube and SonarCloud. It exposes issues, security hotspots, quality gates, metrics, and code quality history as MCP tools. Claude reads the issue, looks at the rule, and writes a fix grounded in the rule's recommendation — not a generic guess.

▶ Watch demo 📦 Install 💡 Use Cases

Why use it

Key features

Live Demo

What it looks like in practice

sonarqube-mcp.replay ▶ ready
0/0

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "sonarqube-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--init",
        "--pull=always",
        "-i",
        "--rm",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "mcp/sonarqube"
      ]
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "sonarqube-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--init",
        "--pull=always",
        "-i",
        "--rm",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "mcp/sonarqube"
      ]
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "sonarqube-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--init",
        "--pull=always",
        "-i",
        "--rm",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "mcp/sonarqube"
      ]
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "sonarqube-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--init",
        "--pull=always",
        "-i",
        "--rm",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "mcp/sonarqube"
      ]
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "sonarqube-mcp",
      "command": "docker",
      "args": [
        "run",
        "--init",
        "--pull=always",
        "-i",
        "--rm",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        "mcp/sonarqube"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json
{
  "context_servers": {
    "sonarqube-mcp": {
      "command": {
        "path": "docker",
        "args": [
          "run",
          "--init",
          "--pull=always",
          "-i",
          "--rm",
          "-e",
          "SONARQUBE_TOKEN",
          "-e",
          "SONARQUBE_ORG",
          "mcp/sonarqube"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add sonarqube-mcp -- docker run --init --pull=always -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG mcp/sonarqube

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use SonarQube MCP

Batch-fix all issues for a single rule across the codebase

👤 Developers paying down tech debt ⏱ ~45 min intermediate

When to use: Sonar flagged 47 instances of the same rule and you'd rather fix them all in one PR.

Prerequisites
  • Sonar token — User → Security → Generate Token (project-scoped if possible)
  • Docker available — Standard docker setup; image is pulled on first run
Flow
  1. Identify the rule
    Use sonarqube-mcp. Top 5 rules by open-issue count in project 'foo'.✓ Copied
    → Rule key + count + severity
  2. Pull all instances of one
    List every open issue for rule java:S2293 (Use Diamond Operator) — file, line, snippet.✓ Copied
    → 47 issues with file:line and surrounding code
  3. Apply the fix
    For each, apply the rule's recommended fix. Keep changes minimal; don't reformat.✓ Copied
    → 47 small edits across ~20 files
  4. Re-scan to verify
    After my CI runs the next analysis, recheck the issue count for that rule.✓ Copied
    → Count drops to 0

Outcome: One focused PR closing a whole rule, instead of 47 scattered fix commits.

Pitfalls
  • Rule auto-fix breaks generated code — Filter by directory; skip generated/test paths or audit those manually
Combine with: github · filesystem

Debug why a PR's quality gate is failing

👤 Developer whose PR was blocked ⏱ ~30 min intermediate

When to use: Sonar fails your PR and the dashboard is overwhelming.

Flow
  1. Get gate status
    Use sonarqube-mcp. Show quality gate status for PR 1234 — which conditions failed?✓ Copied
    → Gate breakdown: e.g., 'New Coverage 67% < 80% threshold'
  2. Drill into the failing condition
    For 'New Coverage' below threshold — list new lines added in this PR with no test coverage.✓ Copied
    → Per-file uncovered new-line list
  3. Generate tests
    Write tests covering those uncovered lines.✓ Copied
    → New test files added; mental walkthrough of cases

Outcome: PR unblocked with targeted tests, not a coverage carpet bomb.

Pitfalls
  • Tests written for coverage, not behavior — Ask Claude to also state what each test asserts; reject ones with no real assertion
Combine with: github

Review and resolve security hotspots

👤 Security-conscious engineers ⏱ ~40 min advanced

When to use: Hotspots have piled up and need triage as 'reviewed safe' or 'fixed'.

Flow
  1. List unresolved hotspots
    Use sonarqube-mcp. List all unreviewed security hotspots in project 'foo' grouped by category.✓ Copied
    → Hotspots grouped by category (e.g., 'Weak Cryptography', 'Auth')
  2. Explain risks
    For each, summarize the risk in 1 line. Mark which are clearly safe-to-acknowledge vs need-fix.✓ Copied
    → Annotated triage list
  3. Fix or acknowledge
    For need-fix ones, apply the rule's safe pattern. For safe ones, give me the comment to leave on the hotspot review.✓ Copied
    → Fixes applied + review comments drafted

Outcome: Hotspots cleared with audit trail, not silently ignored.

Pitfalls
  • Marking things 'safe' without thinking — Require Claude to cite *why* it's safe in the comment — that creates an auditable trail
Combine with: github

Combinations

Pair with other MCPs for X10 leverage

sonarqube-mcp + github

Annotate PRs with Sonar findings or auto-create issues for new violations

On every PR, comment Sonar's gate result and any new issues it added.✓ Copied
sonarqube-mcp + filesystem

Apply rule fixes locally and commit

Fix all java:S2293 instances; write the diffs locally for review before commit.✓ Copied

Tools

What this MCP exposes

ToolInputsWhen to callCost
search_issues project, rules?, severities?, types?, branch? Filter issues by rule/severity/type 1 SonarQube API call
get_rule rule_key Read the official guidance before fixing 1 API call
get_quality_gate project, branch_or_pr Diagnose PR/branch gate failures 1 API call
search_hotspots project, status? Security review 1 API call
get_metrics project, metric_keys[] Trend / drift checks (coverage, duplications) 1 API call

Cost & Limits

What this costs to run

API quota
Sonar API rate limit varies by edition — be conservative with bulk loops
Tokens per call
Issues come in pages of 100; each issue ~200 tokens
Monetary
Free for SonarCloud public projects; Enterprise license for SonarQube
Tip
Filter aggressively at search_issues — paging through everything is wasteful

Security

Permissions, secrets, blast radius

Minimum scopes: Browse See Source Code
Credential storage: SONARQUBE_TOKEN env var, project-scoped
Data egress: To your Sonar instance (sonarcloud.io or self-hosted)
Never grant: Administer permissions to a chat-driven agent

Troubleshooting

Common errors and fixes

401 Unauthorized

Regenerate the token; check token isn't user-scope-only when project-scope needed

Verify: curl -u $SONARQUBE_TOKEN: $SONAR_HOST/api/projects/search
Wrong organization

SONARQUBE_ORG env var must match your Sonar org slug exactly (lowercase)

Docker container can't reach self-hosted SonarQube

Pass --network host or expose your SonarQube on a reachable hostname; set SONAR_HOST_URL inside the container

Verify: docker run ... curl $SONAR_HOST_URL/api/system/status
Issue list seems stale

Sonar reflects the last completed analysis — re-run analysis or check the project's last analysis timestamp

Alternatives

SonarQube MCP vs others

AlternativeWhen to use it insteadTradeoff
CodeQL via GitHub MCPYou're already on GitHub Advanced Security and want findings in the same surfaceDifferent rule set; no quality-gate concept
Semgrep MCPYou want lightweight pattern-based scanning without Sonar infraLess coverage of code smells / maintainability metrics

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills