SonarQube MCP Server

Official SonarQube MCP server enabling AI agents to interact with SonarQube/SonarCloud code quality and security analysis — querying issues, security hotspots, quality gates, and code metrics.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security sonarqube sonar code-quality mcp-server official sast code-smells security-hotspots
⚙ Agent Friendliness
77
/ 100
Can an agent use this?
🔒 Security
80
/ 100
Is it safe for agents?
⚡ Reliability
82
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
78
Documentation
82
Error Messages
78
Auth Simplicity
80
Rate Limits
65

🔒 Security

TLS Enforcement
95
Auth Strength
78
Scope Granularity
68
Dep. Hygiene
82
Secret Handling
80

Cloud enforces HTTPS; self-hosted is operator's responsibility. User token with project permissions. SOC 2, ISO 27001. Code analysis data may be sensitive — secure accordingly.

⚡ Reliability

Uptime/SLA
82
Version Stability
85
Breaking Changes
82
Error Recovery
78
AF Security Reliability

Best When

An agent needs to query SonarQube/SonarCloud for code quality metrics, security issues, or quality gate status.

Avoid When

You're using a different SAST platform — use that provider's tools.

Use Cases

  • Querying SonarQube issues for code quality review agents
  • Checking quality gate status before deployment from CI/CD agents
  • Reading security hotspots for vulnerability triage agents
  • Analyzing code coverage and duplication metrics from agents
  • Automated code quality reporting in development workflows

Not For

  • Teams using Snyk, Veracode, or CodeClimate exclusively
  • Dynamic testing (DAST) — SonarQube is SAST only
  • Non-code security testing

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: api_token bearer_token
OAuth: No Scopes: No

User tokens with project-level permissions. Global analysis tokens for CI. No fine-grained scopes — token access controlled by user permissions.

Pricing

Model: open-source
Free tier: Yes
Requires CC: No

Community Edition is free self-hosted. SonarCloud free for public repos. Paid editions add advanced security rules, multi-branch analysis.

Agent Metadata

Pagination
offset
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Project key (not name) required for most operations — use key for API calls
  • Self-hosted vs SonarCloud have different base URLs and feature sets
  • Quality Gate conditions are complex objects — agents must parse rule details
  • Issues can be in different states (open, resolved, etc.) — filter appropriately
  • Self-hosted TLS configuration is operator responsibility
  • API token has project-level access controlled by user permissions in Sonar

Alternatives

snyk-mcp github-mcp codeclimate-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for SonarQube MCP Server.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5220
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered