{"id":"lreimer-sonar-mcp-server","name":"sonar-mcp-server","homepage":null,"repo_url":"https://github.com/lreimer/sonar-mcp-server","category":"api-gateway","subcategories":[],"tags":["mcp","sonarqube","sonarqube-cloud","golang","stdio","sse","api-integration"],"what_it_does":"Provides an MCP server (stdio and SSE) for interacting with the SonarQube Cloud (SonarQube Cloud API) from an MCP-capable client, using a SONAR_TOKEN for authentication.","use_cases":["Enable LLM/MCP clients to query SonarQube Cloud for project/build/analysis information","Automate inspection workflows over SonarQube Cloud data via MCP tools","Use a local MCP server (Claude Desktop or MCP Inspector) for SonarQube-related assistant tasks"],"not_for":["Direct public exposure without authentication/authorization controls","Production deployments that require a documented SLA, robust operational guidance, or comprehensive compatibility guarantees","Organizations needing formal enterprise security/compliance documentation for this specific MCP wrapper"],"best_when":"You want to connect an MCP client to SonarQube Cloud using a token and you can run the MCP server yourself (local or Cloud Run).","avoid_when":"Avoid if you need well-documented API contracts, strong operational/reliability guarantees, or if you must know how the server maps SonarQube API pagination/rate limits and handles errors.","alternatives":["Call SonarQube Cloud REST API directly from your application (no MCP wrapper)","Use an existing SonarQube integration/SDK (if available for your language/runtime) and wrap it in your own MCP server","Create a thin MCP tool layer over SonarQube Cloud endpoints you need"],"af_score":46.0,"security_score":54.2,"reliability_score":22.5,"package_type":"mcp_server","discovery_source":["github"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T19:51:50.994786+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Token via environment variable (SONAR_TOKEN)"],"oauth":false,"scopes":false,"notes":"Authentication appears to be via a single SONAR_TOKEN supplied as an environment variable to the MCP server. No OAuth flow or granular scope model is described in the provided README."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information for the MCP server itself; it is MIT-licensed open source. SonarQube Cloud may have its own pricing requirements (not covered in provided content)."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":46.0,"security_score":54.2,"reliability_score":22.5,"mcp_server_quality":55.0,"documentation_accuracy":45.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":80.0,"rate_limit_clarity":20.0,"tls_enforcement":70.0,"auth_strength":55.0,"scope_granularity":20.0,"dependency_hygiene":50.0,"secret_handling":75.0,"security_notes":"README suggests using a SONAR_TOKEN stored in an environment variable/Secret Manager for Cloud Run. However, it also shows deploying with --allow-unauthenticated, which could expose the MCP server publicly unless additional network/IAM controls are applied. No further details are provided about TLS termination, request authentication to the MCP endpoint, logging/redaction of secrets, or fine-grained scopes.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":30.0,"error_recovery":20.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"unknown","retry_guidance_documented":false,"known_agent_gotchas":["The README does not describe MCP tool names, input/output schemas, or pagination behavior; agents may need to introspect tools at runtime.","Rate limiting and retry/backoff behavior are not documented in the provided content.","Production deployment instructions include --allow-unauthenticated for Cloud Run, which may be a security pitfall if not otherwise protected."]}}