@godrix/mcp-sonarqube
v1.0.1
Published
MCP Server for seamless SonarQube integration. Enables AI-driven code quality analysis and interaction with SonarQube metrics and insights.
Maintainers
godrixReadme
SonarQube MCP Server
A Model Context Protocol (MCP) server for analyzing code quality with SonarQube. Enables AI assistants to interact with SonarQube for code analysis, quality metrics, security hotspots, and more.
Features
- 12 Analysis Tools - Complete set of read-only tools for code analysis
- Smart Project Search - Find projects by repository name
- Security Analysis - Security hotspots and vulnerability detection
- Code Quality Metrics - Coverage, bugs, code smells, duplication
- Quality Gates - Check if code meets quality standards
- Branch Analysis - Compare quality across branches
- Source Code View - Inspect code with line numbers
- Rule Explanations - Understand why issues are flagged
- 3 AI Prompts - Intelligent analysis templates
Prerequisites
- Node.js 18+
- SonarQube account (SonarCloud or SonarQube Server)
- SonarQube authentication token
Quick Start
1. Install Dependencies
npm install2. Configure Environment
Create .env file:
SONARQUBE_URL=https://sonarcloud.io
SONARQUBE_TOKEN=your_token_hereGet your token:
- SonarCloud: https://sonarcloud.io → Account → Security → Generate Tokens
- SonarQube Server: Administration → Security → Users → Generate Token
3. Build
npm run build4. Configure MCP Client
Add to your MCP client configuration (e.g., Claude Desktop):
macOS/Linux (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"sonarqube": {
"command": "node",
"args": ["/absolute/path/build/server.js"],
"env": {
"SONARQUBE_URL": "https://sonarcloud.io",
"SONARQUBE_TOKEN": "your_token_here"
}
}
}
}5. Restart MCP Client
Restart Claude Desktop (or your MCP client) to load the server.
Authentication
The server uses Basic Authentication with automatic token conversion:
Your token: squ_abc123...
↓
Add colon: squ_abc123...:
↓
Base64: c3F1X2FiYzEyMy4uLjo=
↓
Header: Authorization: Basic c3F1X2FiYzEyMy4uLjo=This conversion happens automatically - just provide your token in the .env file.
Finding Project Keys
SonarQube uses projectKey to identify projects. Format is usually:
organization_repository-nameMethod 1: Search by Repository Name (Recommended)
"Find projects named 'my-repo'"
"Analyze project 'backend-api'"The AI will automatically:
- Search using
get-projectswith query - Find the correct projectKey
- Use it for analysis
Method 2: List All Projects
"List all SonarQube projects"Then use the projectKey from results.
Method 3: Check Local Files
Check these files in your repository:
sonar-project.properties→sonar.projectKey=...package.json→sonarqube.projectKeypom.xml→<sonar.projectKey>...</sonar.projectKey>build.gradle→property "sonar.projectKey", "..."
Available Tools
Projects & Overview (3)
- get-projects - List projects (supports search query)
- get-project-details - Get project information
- get-project-branches - List analyzed branches
Issues & Security (3)
- get-issues - Find bugs, vulnerabilities, code smells
- get-hotspots - Security hotspots requiring review
- get-hotspot-details - Detailed hotspot information
Quality & Metrics (3)
- get-metrics - Code quality metrics
- get-quality-gate-status - Check if quality gate passed
- get-project-analyses - Analysis history
Code Inspection (3)
- get-source-code - View source code with line numbers
- get-duplications - Find code duplication
- get-rule-details - Explain violated rules
AI Prompts
1. analyze-project-quality
Complete project analysis with insights and recommendations.
"Analyze project quality for 'my-repo'"2. generate-quality-report
Generate detailed quality report.
"Generate quality report for project 'backend-api'"3. prioritize-issues
Prioritize issues by severity and impact.
"Prioritize issues for project 'frontend'"Usage Examples
Basic Analysis
"Show critical bugs in project 'my-app'"
"What's the code coverage of 'backend-service'?"
"Did project 'frontend' pass the quality gate?"Branch Analysis
"Analyze issues in branch feature/new-feature"
"Compare quality between develop and main branches"Security Review
"Show unreviewed security hotspots"
"Explain hotspot ABC-123 in detail"
"Security vulnerabilities in new code"Code Review
"Show code where bug is on line 45"
"Find code duplications in UserService.java"
"Explain why rule java:S1144 was violated"Refactoring
"Which files have most code duplication?"
"Show refactoring opportunities"
"Identify code smells to clean up"Development
Test with MCP Inspector
npm run devThis opens the MCP Inspector for interactive testing.
Project Structure
@godrix/mcp-sonarqube/
├── src/
│ ├── server.ts # Main server
│ ├── services/
│ │ └── SonarQubeService.ts # API integration
│ ├── controllers/
│ │ ├── tools/
│ │ │ └── SonarQubeToolsController.ts # MCP tools
│ │ └── prompts/
│ │ └── SonarQubePromptController.ts # MCP prompts
│ └── model/
│ └── SonarQube.ts # TypeScript types
├── build/ # Compiled JavaScript
├── package.json
├── tsconfig.json
└── .env # Configuration (not versioned)Tool Reference
get-projects
List SonarQube projects with optional search.
Parameters:
query(optional) - Search by repository namepage(optional) - Page number (default: 1)pageSize(optional) - Items per page (default: 100)
get-issues
Search for code issues.
Parameters:
projectKey(required) - Project identifierbranch(optional) - Specific branchseverities(optional) - Filter: BLOCKER, CRITICAL, MAJOR, MINOR, INFOtypes(optional) - Filter: BUG, VULNERABILITY, CODE_SMELL, SECURITY_HOTSPOTissueStatuses(optional) - Filter: OPEN, CONFIRMED, FALSE_POSITIVE, ACCEPTED, FIXEDcreatedAfter(optional) - Date filter (YYYY-MM-DD)createdBefore(optional) - Date filter (YYYY-MM-DD)assignees(optional) - Filter by assignee (me for current user)tags(optional) - Filter by tags
get-metrics
Get code quality metrics.
Parameters:
projectKey(required) - Project identifiermetricKeys(required) - Array of metric names
Common metrics:
coverage- Test coveragebugs- Number of bugsvulnerabilities- Number of vulnerabilitiescode_smells- Number of code smellssqale_rating- Maintainability rating (A-E)reliability_rating- Reliability rating (A-E)security_rating- Security rating (A-E)duplicated_lines_density- Duplication percentagencloc- Lines of code (non-comment)
get-hotspots
Find security hotspots.
Parameters:
projectKey(required) - Project identifierbranch(optional) - Specific branchstatus(optional) - TO_REVIEW or REVIEWEDresolution(optional) - FIXED, SAFE, or ACKNOWLEDGEDinNewCodePeriod(optional) - Filter new code only
get-source-code
View source code with line numbers.
Parameters:
fileKey(required) - File identifier (format:project:path/to/file)from(optional) - Start lineto(optional) - End line
get-rule-details
Get detailed rule information.
Parameters:
ruleKey(required) - Rule identifier (format:language:ruleId)
Troubleshooting
Token Not Working
- Verify token is complete and correct
- Check token has Browse permission
- Generate new token if needed
Project Not Found
- Verify projectKey is correct
- Use
get-projectswith query to find it - Check you have access in SonarQube
Connection Errors
- Verify SONARQUBE_URL is correct
- For local server, ensure it's running
- Check firewall settings
Security
- ✅ Read-only operations (no modifications)
- ✅ Token stored in
.env(not versioned) - ✅ Basic Auth with base64 encoding
- ⚠️ Never commit
.envfile - ⚠️ Use tokens with minimum required permissions
API Rate Limits
Be aware of API rate limits:
- SonarCloud: Check your organization's limits
- SonarQube Server: Depends on server configuration
License
MIT
Contributing
Contributions welcome! Please ensure:
- TypeScript strict mode compliance
- English comments and documentation
- Tests for new features
- Update README for new tools
Links
Built with ❤️ using Model Context Protocol