SonarQube

Seamless integration with SonarQube Server or Cloud for code quality and security analysis. Enables AI agents to analyze code snippets directly, search for issues, manage quality gates, review security hotspots, check dependency risks, improve test coverage, and more.

Features

• Code Analysis: Analyze code snippets with SonarQube analyzers to identify quality and security issues. Supports Java, Kotlin, Python, Ruby, Go, JavaScript, TypeScript, PHP, and more.
• Issue Management: Search and manage SonarQube issues with filtering by severity, status, software quality impacts, and projects.
• Security Hotspots: Search and review security hotspots with detailed rule information and status management.
• Quality Gates: Check quality gate status for projects and pull requests to ensure code meets quality standards.
• Test Coverage: Search for files by coverage and get line-by-line coverage details to identify areas needing test improvements.
• Code Duplications: Find duplicated code across projects and get duplication details for specific files.
• Dependency Risks: Analyze software composition issues and dependency vulnerabilities (SonarQube Server 2025.4+ with Advanced Security).
• Project & Pull Request Discovery: List projects and pull requests to understand your codebase structure.
• Rule Information: Get detailed information about SonarQube rules to understand quality requirements.
• Source Code Access: Retrieve raw source code and SCM information from SonarQube.
• Context Augmentation (SonarQube Cloud only, stdio mode): Advanced tools for architecture exploration, call flow tracing, dependency analysis, coding guidelines, and third-party dependency security checks. Requires organization entitlement and workspace mount.
• Integration with SonarQube for IDE: Connect to running SonarQube for IDE instances for automatic analysis.

Transport Modes

• Stdio (default): For local development and single-user setups
• HTTP/HTTPS: For multi-user production deployments with TLS encryption

Configuration Options

• Mount your project workspace at /app/mcp-workspace to reduce context bloat — the server reads files directly instead of passing content through the agent
• Selective tool enablement via SONARQUBE_TOOLSETS to reduce context overhead
• Read-only mode via SONARQUBE_READ_ONLY to disable write operations
• Custom SSL certificates for self-signed or private CA certificates
• Proxy support for HTTP, HTTPS, and SOCKS5
• Debug logging via SONARQUBE_DEBUG_ENABLED

Supported Languages

Java, Kotlin, Python, Ruby, Go, JavaScript, TypeScript, JSP, PHP, XML, HTML, CSS, CloudFormation, Kubernetes, Terraform, Azure Resource Manager, Ansible, Docker, and secrets detection.