Gene Library Courses Download Pricing Contact Sign in
sonarqube logo
developer-tools Official Website

SonarQube MCP Server – Code Quality and Security

SonarQube's official MCP Server connects AI coding agents to SonarQube code quality and security data. Use it to analyze snippets or files, search issues in projects, check quality and security findings, and keep AI-assisted coding aligned with SonarQube standards.

#code-quality#security#static-analysis

Overview

SonarQube MCP Server is SonarSource's official Model Context Protocol server
for integrating SonarQube Cloud, SonarQube Server, and SonarQube Community Build
with AI coding tools. It gives agents access to code quality and security
feedback while developers stay inside their IDE, CLI, or chat-based coding
workflow.

What the MCP server enables

The server exposes Sonar tools for quality and security workflows. Depending on
the connected product, token, organization, project access, and SonarQube for
IDE integration, an agent can:

  • Analyze a code snippet or file with SonarQube analyzers.
  • Analyze a list of files in the current working directory through SonarQube for
    IDE.
  • Enable or disable SonarQube for IDE automatic analysis.
  • Search SonarQube issues across projects in an organization.
  • Query project findings, quality information, and security issues from
    SonarQube Cloud or SonarQube Server.
  • Use issue context to help explain, prioritize, and remediate code problems.

When to use it

Use SonarQube MCP when an AI coding agent should verify code before a developer
accepts changes. Practical examples include checking AI-generated code for
maintainability and security issues, asking the assistant to explain open
issues in a project, reviewing quality-gate-related findings, analyzing a
snippet before committing it, or pulling SonarQube findings into an agentic
remediation workflow.

Connection and authentication

The recommended quick setup uses the official mcp/sonarqube container image.
Stdio is the default transport for local development and single-user clients.
For SonarQube Cloud, pass SONARQUBE_TOKEN and SONARQUBE_ORG; for
SonarQube Server or Community Build, pass SONARQUBE_TOKEN and
SONARQUBE_URL. For SonarQube Cloud in the US region, set
SONARQUBE_URL=https://sonarqube.us.

Shared deployments can run the server in HTTP or HTTPS transport mode. HTTP is
unencrypted and not recommended. HTTPS requires TLS certificates and is the
recommended multi-user production transport. HTTP and HTTPS clients must send
Authorization: Bearer ${SONARQUBE_TOKEN}. Passing tokens through a
SONARQUBE_TOKEN header is deprecated for HTTP(S), while stdio continues to
use SONARQUBE_TOKEN as an environment variable.

Key considerations

Use SonarQube user tokens for connected mode and MCP integrations with
SonarQube for IDE; project tokens, global tokens, and scoped organization
tokens are not appropriate for that setup. Never commit tokens to version
control, and prefer environment-variable substitution. The server can send
anonymous usage telemetry to Sonar; set TELEMETRY_DISABLED=true to disable it.
HTTP proxy support uses standard Java proxy system properties. Review AI
remediation before merging changes, because the MCP server surfaces findings
and context but does not replace tests, code review, or release approval.

Supported Transports

stdio

Command: docker

Args:

  • run
  • -i
  • --rm
  • --init
  • --pull=always
  • -e
  • SONARQUBE_TOKEN
  • -e
  • SONARQUBE_ORG
  • -e
  • SONARQUBE_URL
  • -e
  • SONARQUBE_IDE_PORT
  • -e
  • TELEMETRY_DISABLED
  • mcp/sonarqube

streamable_http

URL: http://${SONARQUBE_MCP_HOST}:${SONARQUBE_MCP_PORT}/mcp

streamable_http

URL: https://${SONARQUBE_MCP_HOST}:${SONARQUBE_MCP_PORT}/mcp

Frequently Asked Questions

When should an AI agent use the SonarQube MCP Server?
Use it when an AI coding workflow needs SonarQube quality and security context, such as analyzing generated code, searching project issues, reviewing findings before a commit, explaining quality-gate problems, or guiding remediation from SonarQube Cloud or SonarQube Server data.
What does the SonarQube MCP Server add to an AI agent's capabilities?
It gives the agent access to SonarQube analyzers and project issue data through MCP, enabling snippet analysis, file analysis through SonarQube for IDE, issue search, and quality/security feedback inside the coding workflow.
What can an AI agent access or manage through SonarQube MCP?
Depending on token permissions and integration mode, the agent can analyze snippets or files, search SonarQube issues in projects, work with SonarQube for IDE automatic analysis, and use findings to explain and propose fixes for quality and security problems.
How is authentication configured for SonarQube MCP?
Stdio mode uses SONARQUBE_TOKEN as an environment variable, with SONARQUBE_ORG for SonarQube Cloud or SONARQUBE_URL for SonarQube Server and Community Build. HTTP and HTTPS clients must use the Authorization Bearer header. Use user tokens for connected mode and never commit tokens to version control.
Which transport should be used for SonarQube MCP?
Use stdio with the official mcp/sonarqube container for local development and single-user setups. Use HTTPS for multi-user production deployments. HTTP is supported for shared deployments but is unencrypted and not recommended.