/ Каталог / Песочница / SonarQube
← Все серверы ↗ GitHub
● Официальный SonarSource 🔑 Нужен свой ключ

SonarQube

автор SonarSource · SonarSource/sonarqube-mcp-server

Pull SonarQube issues, hotspots, and quality-gate status into your AI workflow — triage findings and draft fixes without opening the SonarQube UI.

SonarSource's official MCP wraps SonarQube Server and SonarCloud APIs. Query issues by severity, type, component, or author; inspect security hotspots; read quality-gate status and new-code deltas. Best for weekly quality reviews and PR-time triage.

▶ Смотреть демо 📦 Установить 💡 Сценарии

Зачем использовать

Ключевые функции

Живое демо

Как выглядит на практике

sonarqube.replay ▶ готово
0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "sonarqube",
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json
{
  "context_servers": {
    "sonarqube": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "sonarqube-mcp-server"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add sonarqube -- npx -y sonarqube-mcp-server

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: SonarQube

Triage new SonarQube issues on a PR before review

👤 Reviewers who want to focus on humans, not lint ⏱ ~15 min beginner

Когда использовать: A PR has 15 new Sonar findings. You want a 30-second summary: what's must-fix vs nitpick.

Предварительные требования
  • Sonar token with Execute Analysis + Browse — Sonar UI → Account → Security → Generate token
  • Project key — Sonar project URL: /dashboard?id=<key>
Поток
  1. Pull new-code issues for the branch
    List issues for project <key>, branch <pr-branch>, sinceLeakPeriod=true. Group by severity.✓ Скопировано
    → New findings grouped
  2. Classify fix-worthiness
    For each BLOCKER/CRITICAL, show the file:line and rule. Mark which look like real bugs vs noise.✓ Скопировано
    → Triage list
  3. Draft fix suggestions
    For the real bugs, fetch the source snippet via the filesystem MCP and propose a minimal patch for each.✓ Скопировано
    → Per-issue diff suggestions

Итог: A 1-screen PR triage with exactly the 3 things the reviewer should care about.

Подводные камни
  • Low-severity 'smells' drown out real bugs — Always filter severities to BLOCKER,CRITICAL,MAJOR for triage; MINOR/INFO in a separate batch
Сочетать с: github · filesystem

Generate a weekly quality-trend report across projects

👤 Engineering managers ⏱ ~25 min intermediate

Когда использовать: Monday morning: where is tech debt trending across our 12 services?

Поток
  1. List projects and gate status
    List all projects with quality gate status. Flag any project that went from PASS to FAIL this week.✓ Скопировано
    → Regressions highlighted
  2. Summarize hotspots and new bugs
    For each failing project, pull open security hotspots and new bugs from the last 7 days. Top 3 per project.✓ Скопировано
    → Actionable issue list per project
  3. Format as a Markdown digest
    Produce a markdown report: section per project, table of new bugs/hotspots, coverage delta.✓ Скопировано
    → Report ready to post

Итог: A weekly quality digest for your leadership review — consistent format every week.

Подводные камни
  • Projects with auto-generated code pollute the report — Exclude them via Sonar's sonar.exclusions; don't filter in the LLM — fix upstream
Сочетать с: notion

Review and triage security hotspots with context

👤 Appsec / security-champ engineers ⏱ ~45 min advanced

Когда использовать: Quarterly security review: have all TO_REVIEW hotspots been decisioned?

Поток
  1. List unreviewed hotspots
    List hotspots with status TO_REVIEW for project <key>. Group by rule (e.g. sql-injection, xss).✓ Скопировано
    → Queue by category
  2. Pull code context
    For each hotspot, fetch the source snippet (±10 lines). Judge whether it's a real risk or safe-by-context.✓ Скопировано
    → Per-hotspot safe/risky verdict with reasoning
  3. Apply decisions
    For 'safe' hotspots, propose a resolution comment. I'll review batches of 5 and approve; then we'll apply.✓ Скопировано
    → Decision batches ready to apply

Итог: A cleaned-up hotspot queue with auditable reasoning per decision.

Подводные камни
  • Mass-resolving without code context is dangerous — Always require Claude to cite the exact line(s) before marking safe
Сочетать с: filesystem · github

Pre-flight check: will this PR fail the quality gate?

👤 Developers pushing a PR ⏱ ~15 min intermediate

Когда использовать: Before opening PR: did I introduce coverage drops or new blockers?

Поток
  1. Kick off analysis (outside MCP) and wait
    Remind me to run sonar-scanner with branch=<pr-branch> locally. After it completes, I'll come back.✓ Скопировано
    → Analysis ID for this branch
  2. Read branch gate status
    Get quality gate status for branch <pr-branch> in project <key>. Show each condition + actual vs threshold.✓ Скопировано
    → Per-condition PASS/FAIL table
  3. Focus on failing conditions
    For each failing condition, list the top 5 contributing issues/files. Suggest one change per item.✓ Скопировано
    → Concrete fix list

Итог: Know exactly which rule fails CI before you open the PR.

Подводные камни
  • Local analysis branch name doesn't match CI's — Pass -Dsonar.branch.name=<exact ci branch> explicitly
Сочетать с: github

Build a prioritized tech-debt backlog from Sonar data

👤 Tech leads planning a debt-paydown sprint ⏱ ~30 min intermediate

Когда использовать: You have a sprint budget for tech debt; you want to pick the highest-ROI items.

Поток
  1. Pull all open issues with effort + severity
    For project <key>, pull open issues with effort (minutes) and severity. Exclude MINOR/INFO.✓ Скопировано
    → Issue set with effort data
  2. Cluster by file and rule
    Group issues by (file, rule). Sum effort per group. Rank top 20 groups — these are the fix-once-fix-many opportunities.✓ Скопировано
    → ROI-ranked groups
  3. Turn top 10 into Linear tickets
    For each of the top 10, create a Linear issue titled 'Refactor <file> to resolve N× <rule>' with estimated hours.✓ Скопировано
    → Tickets created + URLs

Итог: A sprint-ready debt backlog sorted by actual cost-to-impact.

Подводные камни
  • Effort estimates are static — they don't reflect your team's velocity — Treat Sonar effort as relative; multiply by your team's calibration factor
Сочетать с: linear

Комбинации

Сочетайте с другими MCP — эффект x10

sonarqube + github

Auto-comment Sonar triage on GitHub PRs

For PR #342, pull Sonar new-code issues for that branch, summarize critical ones, post as a PR review comment.✓ Скопировано
sonarqube + linear

Convert quality-gate regressions into Linear tickets

Any project that flipped gate to FAIL today: create a P2 Linear issue assigned to the project lead.✓ Скопировано
sonarqube + notion

Weekly quality report posted to Notion

Run the multi-project weekly quality digest; create a Notion page in 'Engineering / Quality / Weekly'.✓ Скопировано

Инструменты

Что предоставляет этот MCP

ИнструментВходные данныеКогда вызыватьСтоимость
search_issues project_key, severities?, types?, branch?, since?, resolved? Main query tool for bugs/smells/vulns free
get_issue issue_key Drill into one issue's flows and changelog free
search_hotspots project_key, status?, branch? Security review workflows free
get_quality_gate_status project_key, branch? Gate check for CI/PR workflows free
list_projects organization? Discover projects in your org free
get_metrics project_key, metrics: str[], branch? Pull coverage, duplications, tech-debt ratio etc. free

Стоимость и лимиты

Во что обходится

Квота API
SonarCloud: generous, undocumented (~hundreds req/min). Server: bounded by your infra.
Токенов на вызов
Issue searches: 500–3000 tokens depending on page size.
Деньги
SonarQube Community is free. SonarCloud free for open-source; paid from ~$10/dev/mo.
Совет
Use ps (page size) 100 and paginate; fetching all issues at once blows context and is slower.

Безопасность

Права, секреты, радиус поражения

Минимальные скоупы: Browse on the target project
Хранение учётных данных: SONAR_TOKEN (user or project token) in env; SONAR_URL for on-prem
Исходящий трафик: Calls to sonarcloud.io or your SonarQube URL only
Никогда не давайте: Administer Security Global Admin

Устранение неполадок

Частые ошибки и исправления

401 Unauthorized

SONAR_TOKEN missing or revoked. Regenerate in Sonar UI → Account → Security.

Проверить: curl -u $SONAR_TOKEN: $SONAR_URL/api/authentication/validate
404 Component key not found

Project key is case-sensitive and differs from display name. Check project Dashboard URL param id=.

Branch not found

Sonar only keeps analyzed branches. Ensure your CI ran sonar-scanner with -Dsonar.branch.name=....

Empty results despite expected issues

Default filter may exclude resolved; pass resolved=false and sinceLeakPeriod=false explicitly.

Альтернативы

SonarQube в сравнении

АльтернативаКогда использоватьКомпромисс
CodeQL / GitHub Advanced SecurityYou're on GitHub and want code scanning integrated with PRsNarrower rule coverage for non-security issues
Semgrep MCPYou want fast, customizable static rules without a hosted platformNo dashboards / quality-gate concept out of the box

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills