sonar-mcp-server

Provides an MCP server (stdio and SSE) for interacting with the SonarQube Cloud (SonarQube Cloud API) from an MCP-capable client, using a SONAR_TOKEN for authentication.

Evaluated Apr 04, 2026 (17d ago)

Repo ↗ API Gateway mcp sonarqube sonarqube-cloud golang stdio sse api-integration

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

README suggests using a SONAR_TOKEN stored in an environment variable/Secret Manager for Cloud Run. However, it also shows deploying with --allow-unauthenticated, which could expose the MCP server publicly unless additional network/IAM controls are applied. No further details are provided about TLS termination, request authentication to the MCP endpoint, logging/redaction of secrets, or fine-grained scopes.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You want to connect an MCP client to SonarQube Cloud using a token and you can run the MCP server yourself (local or Cloud Run).

Avoid When

Avoid if you need well-documented API contracts, strong operational/reliability guarantees, or if you must know how the server maps SonarQube API pagination/rate limits and handles errors.

Use Cases

• Enable LLM/MCP clients to query SonarQube Cloud for project/build/analysis information
• Automate inspection workflows over SonarQube Cloud data via MCP tools
• Use a local MCP server (Claude Desktop or MCP Inspector) for SonarQube-related assistant tasks

Not For

• Direct public exposure without authentication/authorization controls
• Production deployments that require a documented SLA, robust operational guidance, or comprehensive compatibility guarantees
• Organizations needing formal enterprise security/compliance documentation for this specific MCP wrapper

Interface

REST API

GraphQL

gRPC

MCP Server

Yes

SDK

Webhooks

Authentication

Methods: Token via environment variable (SONAR_TOKEN)

OAuth: No Scopes: No

Authentication appears to be via a single SONAR_TOKEN supplied as an environment variable to the MCP server. No OAuth flow or granular scope model is described in the provided README.

Pricing

Free tier: No

Requires CC: No

No pricing information for the MCP server itself; it is MIT-licensed open source. SonarQube Cloud may have its own pricing requirements (not covered in provided content).

Agent Metadata

Pagination

unknown

Idempotent

False

Retry Guidance

Not documented

Known Gotchas

⚠ The README does not describe MCP tool names, input/output schemas, or pagination behavior; agents may need to introspect tools at runtime.
⚠ Rate limiting and retry/backoff behavior are not documented in the provided content.
⚠ Production deployment instructions include --allow-unauthenticated for Cloud Run, which may be a security pitfall if not otherwise protected.

Alternatives

Call SonarQube Cloud REST API directly from your application (no MCP wrapper) Use an existing SonarQube integration/SDK (if available for your language/runtime) and wrap it in your own MCP server Create a thin MCP tool layer over SonarQube Cloud endpoints you need

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for sonar-mcp-server.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-04-04.