This MCP server gives you access to SonarQube's code quality and security analysis tools directly in your AI conversations. You can analyze code, check project quality, manage issues, and get detailed insights without leaving your chat.
The user should provide the following environment variables:
SONARQUBE_TOKEN: A SonarQube USER tokenSONARQUBE_URL: The URL of the SonarQube server (for SonarQube Server)SONARQUBE_ORG: The organization key (for SonarQube Cloud)
Example user requests:
- "Show me my SonarQube projects"
- "List all projects in my organization"
What to do: Use search_my_sonarqube_projects to get the list. The results will show project keys that are needed for other operations.
Example user requests:
- "What's the quality gate status of my project?"
- "Check if my project passes quality gates"
- "How is the code quality for project X?"
What to do: Use get_project_quality_gate_status with the project key. If user doesn't know the project key, first use search_my_sonarqube_projects.
Example user requests:
- "Show me the issues in my project"
- "Find security issues in project X"
- "List all bugs in my codebase"
- "Find all blocker issues in my codebase"
What to do: Use search_sonar_issues_in_projects. You can filter by project, software quality (MAINTAINABILITY, RELIABILITY, SECURITY), severity, issue status, branch, pull request, or search for a specific issue by key.
Example user requests:
- "Analyze this code snippet for issues"
- "Check this code for quality problems"
- "Generate a method that does X and analyze it for issues"
What to do: Use analyze_code_snippet - always pass complete file content:
- Full analysis: Pass
fileContentonly to get all issues - Filtered analysis (recommended for generated code): Pass
fileContent+codeSnippet- tool analyzes full file but reports issues only in the snippet (auto-detects location)
Supported Languages:
- Java
- Kotlin
- Python (including IPython notebooks)
- Ruby
- Go
- JavaScript, TypeScript, JSP
- PHP
- XML
- HTML, CSS
- Infrastructure as Code: CloudFormation, Kubernetes, Terraform, Azure Resource Manager, Ansible, Docker
- Secrets detection (works across all file types)
Example user requests:
- "What does this rule mean?"
- "Explain rule javascript:S1234"
- "What metrics are available?"
- "Show me code complexity metrics"
What to do: Use show_rule for rule explanations, search_metrics for available metrics, and get_component_measures for specific metric values.
- When a user mentions a project key, use
search_my_sonarqube_projectsfirst to find the exact project key - Don't guess project keys - always look them up
- When analyzing code snippets, try to detect the programming language from the code syntax
- Only the languages listed in the "Code Snippet Analysis" section are supported for local analysis
- If the code is in an unsupported language, inform the user about the limitation
- If unclear, ask the user or make an educated guess based on syntax
- Note: Secrets detection works on all file types regardless of language
- Many operations support branch-specific analysis
- If user mentions working on a feature branch, include the branch parameter
- Pull request analysis is available for PR-specific insights
- After fixing issues, do not attempt to verify them using
search_sonar_issues_in_projects, as the server will not yet reflect the updates
- SonarQube requires USER tokens (not project tokens)
- When the error
SonarQube answered with Not authorizedoccurs, verify the token type
- Use
search_my_sonarqube_projectsto confirm available projects - Check if user has access to the specific project
- Verify project key spelling and format
- Ensure programming language is correctly specified
- Remind users that snippet analysis doesn't replace full project scans
- Provide full file content for better analysis results
- Mention that code snippet analysis tool has limited capabilities compared to full SonarQube scans