/ Verzeichnis / Playground / SonarQube
← Alle Server ↗ GitHub
● Offiziell SonarSource 🔑 Eigener Schlüssel nötig

SonarQube

von SonarSource · SonarSource/sonarqube-mcp-server

Pull SonarQube issues, hotspots, and quality-gate status into your AI workflow — triage findings and draft fixes without opening the SonarQube UI.

SonarSource's official MCP wraps SonarQube Server and SonarCloud APIs. Query issues by severity, type, component, or author; inspect security hotspots; read quality-gate status and new-code deltas. Best for weekly quality reviews and PR-time triage.

▶ Demo ansehen 📦 Installieren 💡 Anwendungsfälle

Warum nutzen

Hauptfunktionen

Live-Demo

In der Praxis

sonarqube.replay ▶ bereit
0/0

Installieren

Wählen Sie Ihren Client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Öffne Claude Desktop → Settings → Developer → Edit Config. Nach dem Speichern neu starten.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Cursor nutzt das gleiche mcpServers-Schema wie Claude Desktop. Projektkonfiguration schlägt die globale.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Klicken Sie auf das MCP-Servers-Symbol in der Cline-Seitenleiste, dann "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Gleiche Struktur wie Claude Desktop. Windsurf neu starten zum Übernehmen.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "sonarqube",
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  ]
}

Continue nutzt ein Array von Serverobjekten statt einer Map.

~/.config/zed/settings.json
{
  "context_servers": {
    "sonarqube": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "sonarqube-mcp-server"
        ]
      }
    }
  }
}

In context_servers hinzufügen. Zed lädt beim Speichern neu.

claude mcp add sonarqube -- npx -y sonarqube-mcp-server

Einzeiler. Prüfen mit claude mcp list. Entfernen mit claude mcp remove.

Anwendungsfälle

Praxisnahe Nutzung: SonarQube

Triage new SonarQube issues on a PR before review

👤 Reviewers who want to focus on humans, not lint ⏱ ~15 min beginner

Wann einsetzen: A PR has 15 new Sonar findings. You want a 30-second summary: what's must-fix vs nitpick.

Voraussetzungen
  • Sonar token with Execute Analysis + Browse — Sonar UI → Account → Security → Generate token
  • Project key — Sonar project URL: /dashboard?id=<key>
Ablauf
  1. Pull new-code issues for the branch
    List issues for project <key>, branch <pr-branch>, sinceLeakPeriod=true. Group by severity.✓ Kopiert
    → New findings grouped
  2. Classify fix-worthiness
    For each BLOCKER/CRITICAL, show the file:line and rule. Mark which look like real bugs vs noise.✓ Kopiert
    → Triage list
  3. Draft fix suggestions
    For the real bugs, fetch the source snippet via the filesystem MCP and propose a minimal patch for each.✓ Kopiert
    → Per-issue diff suggestions

Ergebnis: A 1-screen PR triage with exactly the 3 things the reviewer should care about.

Fallstricke
  • Low-severity 'smells' drown out real bugs — Always filter severities to BLOCKER,CRITICAL,MAJOR for triage; MINOR/INFO in a separate batch
Kombinieren mit: github · filesystem

Generate a weekly quality-trend report across projects

👤 Engineering managers ⏱ ~25 min intermediate

Wann einsetzen: Monday morning: where is tech debt trending across our 12 services?

Ablauf
  1. List projects and gate status
    List all projects with quality gate status. Flag any project that went from PASS to FAIL this week.✓ Kopiert
    → Regressions highlighted
  2. Summarize hotspots and new bugs
    For each failing project, pull open security hotspots and new bugs from the last 7 days. Top 3 per project.✓ Kopiert
    → Actionable issue list per project
  3. Format as a Markdown digest
    Produce a markdown report: section per project, table of new bugs/hotspots, coverage delta.✓ Kopiert
    → Report ready to post

Ergebnis: A weekly quality digest for your leadership review — consistent format every week.

Fallstricke
  • Projects with auto-generated code pollute the report — Exclude them via Sonar's sonar.exclusions; don't filter in the LLM — fix upstream
Kombinieren mit: notion

Review and triage security hotspots with context

👤 Appsec / security-champ engineers ⏱ ~45 min advanced

Wann einsetzen: Quarterly security review: have all TO_REVIEW hotspots been decisioned?

Ablauf
  1. List unreviewed hotspots
    List hotspots with status TO_REVIEW for project <key>. Group by rule (e.g. sql-injection, xss).✓ Kopiert
    → Queue by category
  2. Pull code context
    For each hotspot, fetch the source snippet (±10 lines). Judge whether it's a real risk or safe-by-context.✓ Kopiert
    → Per-hotspot safe/risky verdict with reasoning
  3. Apply decisions
    For 'safe' hotspots, propose a resolution comment. I'll review batches of 5 and approve; then we'll apply.✓ Kopiert
    → Decision batches ready to apply

Ergebnis: A cleaned-up hotspot queue with auditable reasoning per decision.

Fallstricke
  • Mass-resolving without code context is dangerous — Always require Claude to cite the exact line(s) before marking safe
Kombinieren mit: filesystem · github

Pre-flight check: will this PR fail the quality gate?

👤 Developers pushing a PR ⏱ ~15 min intermediate

Wann einsetzen: Before opening PR: did I introduce coverage drops or new blockers?

Ablauf
  1. Kick off analysis (outside MCP) and wait
    Remind me to run sonar-scanner with branch=<pr-branch> locally. After it completes, I'll come back.✓ Kopiert
    → Analysis ID for this branch
  2. Read branch gate status
    Get quality gate status for branch <pr-branch> in project <key>. Show each condition + actual vs threshold.✓ Kopiert
    → Per-condition PASS/FAIL table
  3. Focus on failing conditions
    For each failing condition, list the top 5 contributing issues/files. Suggest one change per item.✓ Kopiert
    → Concrete fix list

Ergebnis: Know exactly which rule fails CI before you open the PR.

Fallstricke
  • Local analysis branch name doesn't match CI's — Pass -Dsonar.branch.name=<exact ci branch> explicitly
Kombinieren mit: github

Build a prioritized tech-debt backlog from Sonar data

👤 Tech leads planning a debt-paydown sprint ⏱ ~30 min intermediate

Wann einsetzen: You have a sprint budget for tech debt; you want to pick the highest-ROI items.

Ablauf
  1. Pull all open issues with effort + severity
    For project <key>, pull open issues with effort (minutes) and severity. Exclude MINOR/INFO.✓ Kopiert
    → Issue set with effort data
  2. Cluster by file and rule
    Group issues by (file, rule). Sum effort per group. Rank top 20 groups — these are the fix-once-fix-many opportunities.✓ Kopiert
    → ROI-ranked groups
  3. Turn top 10 into Linear tickets
    For each of the top 10, create a Linear issue titled 'Refactor <file> to resolve N× <rule>' with estimated hours.✓ Kopiert
    → Tickets created + URLs

Ergebnis: A sprint-ready debt backlog sorted by actual cost-to-impact.

Fallstricke
  • Effort estimates are static — they don't reflect your team's velocity — Treat Sonar effort as relative; multiply by your team's calibration factor
Kombinieren mit: linear

Kombinationen

Mit anderen MCPs für 10-fache Wirkung

sonarqube + github

Auto-comment Sonar triage on GitHub PRs

For PR #342, pull Sonar new-code issues for that branch, summarize critical ones, post as a PR review comment.✓ Kopiert
sonarqube + linear

Convert quality-gate regressions into Linear tickets

Any project that flipped gate to FAIL today: create a P2 Linear issue assigned to the project lead.✓ Kopiert
sonarqube + notion

Weekly quality report posted to Notion

Run the multi-project weekly quality digest; create a Notion page in 'Engineering / Quality / Weekly'.✓ Kopiert

Werkzeuge

Was dieses MCP bereitstellt

WerkzeugEingabenWann aufrufenKosten
search_issues project_key, severities?, types?, branch?, since?, resolved? Main query tool for bugs/smells/vulns free
get_issue issue_key Drill into one issue's flows and changelog free
search_hotspots project_key, status?, branch? Security review workflows free
get_quality_gate_status project_key, branch? Gate check for CI/PR workflows free
list_projects organization? Discover projects in your org free
get_metrics project_key, metrics: str[], branch? Pull coverage, duplications, tech-debt ratio etc. free

Kosten & Limits

Was der Betrieb kostet

API-Kontingent
SonarCloud: generous, undocumented (~hundreds req/min). Server: bounded by your infra.
Tokens pro Aufruf
Issue searches: 500–3000 tokens depending on page size.
Kosten in €
SonarQube Community is free. SonarCloud free for open-source; paid from ~$10/dev/mo.
Tipp
Use ps (page size) 100 and paginate; fetching all issues at once blows context and is slower.

Sicherheit

Rechte, Secrets, Reichweite

Minimale Scopes: Browse on the target project
Credential-Speicherung: SONAR_TOKEN (user or project token) in env; SONAR_URL for on-prem
Datenabfluss: Calls to sonarcloud.io or your SonarQube URL only
Niemals gewähren: Administer Security Global Admin

Fehlerbehebung

Häufige Fehler und Lösungen

401 Unauthorized

SONAR_TOKEN missing or revoked. Regenerate in Sonar UI → Account → Security.

Prüfen: curl -u $SONAR_TOKEN: $SONAR_URL/api/authentication/validate
404 Component key not found

Project key is case-sensitive and differs from display name. Check project Dashboard URL param id=.

Branch not found

Sonar only keeps analyzed branches. Ensure your CI ran sonar-scanner with -Dsonar.branch.name=....

Empty results despite expected issues

Default filter may exclude resolved; pass resolved=false and sinceLeakPeriod=false explicitly.

Alternativen

SonarQube vs. andere

AlternativeWann stattdessenKompromiss
CodeQL / GitHub Advanced SecurityYou're on GitHub and want code scanning integrated with PRsNarrower rule coverage for non-security issues
Semgrep MCPYou want fast, customizable static rules without a hosted platformNo dashboards / quality-gate concept out of the box

Mehr

Ressourcen

📖 Offizielle README auf GitHub lesen

🐙 Offene Issues ansehen

🔍 Alle 400+ MCP-Server und Skills durchsuchen