/ 目錄 / 演練場 / SonarQube
← 全部伺服器 ↗ GitHub
● 官方 SonarSource 🔑 需要你的金鑰

SonarQube

作者 SonarSource · SonarSource/sonarqube-mcp-server

Pull SonarQube issues, hotspots, and quality-gate status into your AI workflow — triage findings and draft fixes without opening the SonarQube UI.

SonarSource's official MCP wraps SonarQube Server and SonarCloud APIs. Query issues by severity, type, component, or author; inspect security hotspots; read quality-gate status and new-code deltas. Best for weekly quality reviews and PR-time triage.

▶ 觀看演示 📦 安裝 💡 使用場景

為什麼要用

核心特性

即時演示

實際使用效果

sonarqube.replay ▶ 就緒
0/0

安裝

選擇你的客戶端

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

開啟 Claude Desktop → Settings → Developer → Edit Config。儲存後重啟應用。

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Cursor 使用與 Claude Desktop 相同的 mcpServers 格式。專案級設定優先於全域。

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

點擊 Cline 側欄中的 MCP Servers 圖示,然後選 "Edit Configuration"。

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

格式與 Claude Desktop 相同。重啟 Windsurf 生效。

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "sonarqube",
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  ]
}

Continue 使用伺服器物件陣列,而非映射。

~/.config/zed/settings.json
{
  "context_servers": {
    "sonarqube": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "sonarqube-mcp-server"
        ]
      }
    }
  }
}

加入 context_servers。Zed 儲存後熱重載。

claude mcp add sonarqube -- npx -y sonarqube-mcp-server

一行命令搞定。用 claude mcp list 驗證,claude mcp remove 移除。

使用場景

實戰用法: SonarQube

Triage new SonarQube issues on a PR before review

👤 Reviewers who want to focus on humans, not lint ⏱ ~15 min beginner

何時使用: A PR has 15 new Sonar findings. You want a 30-second summary: what's must-fix vs nitpick.

前置條件
  • Sonar token with Execute Analysis + Browse — Sonar UI → Account → Security → Generate token
  • Project key — Sonar project URL: /dashboard?id=<key>
步驟
  1. Pull new-code issues for the branch
    List issues for project <key>, branch <pr-branch>, sinceLeakPeriod=true. Group by severity.✓ 已複製
    → New findings grouped
  2. Classify fix-worthiness
    For each BLOCKER/CRITICAL, show the file:line and rule. Mark which look like real bugs vs noise.✓ 已複製
    → Triage list
  3. Draft fix suggestions
    For the real bugs, fetch the source snippet via the filesystem MCP and propose a minimal patch for each.✓ 已複製
    → Per-issue diff suggestions

結果: A 1-screen PR triage with exactly the 3 things the reviewer should care about.

注意事項
  • Low-severity 'smells' drown out real bugs — Always filter severities to BLOCKER,CRITICAL,MAJOR for triage; MINOR/INFO in a separate batch
搭配使用: github · filesystem

Generate a weekly quality-trend report across projects

👤 Engineering managers ⏱ ~25 min intermediate

何時使用: Monday morning: where is tech debt trending across our 12 services?

步驟
  1. List projects and gate status
    List all projects with quality gate status. Flag any project that went from PASS to FAIL this week.✓ 已複製
    → Regressions highlighted
  2. Summarize hotspots and new bugs
    For each failing project, pull open security hotspots and new bugs from the last 7 days. Top 3 per project.✓ 已複製
    → Actionable issue list per project
  3. Format as a Markdown digest
    Produce a markdown report: section per project, table of new bugs/hotspots, coverage delta.✓ 已複製
    → Report ready to post

結果: A weekly quality digest for your leadership review — consistent format every week.

注意事項
  • Projects with auto-generated code pollute the report — Exclude them via Sonar's sonar.exclusions; don't filter in the LLM — fix upstream
搭配使用: notion

Review and triage security hotspots with context

👤 Appsec / security-champ engineers ⏱ ~45 min advanced

何時使用: Quarterly security review: have all TO_REVIEW hotspots been decisioned?

步驟
  1. List unreviewed hotspots
    List hotspots with status TO_REVIEW for project <key>. Group by rule (e.g. sql-injection, xss).✓ 已複製
    → Queue by category
  2. Pull code context
    For each hotspot, fetch the source snippet (±10 lines). Judge whether it's a real risk or safe-by-context.✓ 已複製
    → Per-hotspot safe/risky verdict with reasoning
  3. Apply decisions
    For 'safe' hotspots, propose a resolution comment. I'll review batches of 5 and approve; then we'll apply.✓ 已複製
    → Decision batches ready to apply

結果: A cleaned-up hotspot queue with auditable reasoning per decision.

注意事項
  • Mass-resolving without code context is dangerous — Always require Claude to cite the exact line(s) before marking safe
搭配使用: filesystem · github

Pre-flight check: will this PR fail the quality gate?

👤 Developers pushing a PR ⏱ ~15 min intermediate

何時使用: Before opening PR: did I introduce coverage drops or new blockers?

步驟
  1. Kick off analysis (outside MCP) and wait
    Remind me to run sonar-scanner with branch=<pr-branch> locally. After it completes, I'll come back.✓ 已複製
    → Analysis ID for this branch
  2. Read branch gate status
    Get quality gate status for branch <pr-branch> in project <key>. Show each condition + actual vs threshold.✓ 已複製
    → Per-condition PASS/FAIL table
  3. Focus on failing conditions
    For each failing condition, list the top 5 contributing issues/files. Suggest one change per item.✓ 已複製
    → Concrete fix list

結果: Know exactly which rule fails CI before you open the PR.

注意事項
  • Local analysis branch name doesn't match CI's — Pass -Dsonar.branch.name=<exact ci branch> explicitly
搭配使用: github

Build a prioritized tech-debt backlog from Sonar data

👤 Tech leads planning a debt-paydown sprint ⏱ ~30 min intermediate

何時使用: You have a sprint budget for tech debt; you want to pick the highest-ROI items.

步驟
  1. Pull all open issues with effort + severity
    For project <key>, pull open issues with effort (minutes) and severity. Exclude MINOR/INFO.✓ 已複製
    → Issue set with effort data
  2. Cluster by file and rule
    Group issues by (file, rule). Sum effort per group. Rank top 20 groups — these are the fix-once-fix-many opportunities.✓ 已複製
    → ROI-ranked groups
  3. Turn top 10 into Linear tickets
    For each of the top 10, create a Linear issue titled 'Refactor <file> to resolve N× <rule>' with estimated hours.✓ 已複製
    → Tickets created + URLs

結果: A sprint-ready debt backlog sorted by actual cost-to-impact.

注意事項
  • Effort estimates are static — they don't reflect your team's velocity — Treat Sonar effort as relative; multiply by your team's calibration factor
搭配使用: linear

組合

與其他 MCP 搭配,撬動十倍槓桿

sonarqube + github

Auto-comment Sonar triage on GitHub PRs

For PR #342, pull Sonar new-code issues for that branch, summarize critical ones, post as a PR review comment.✓ 已複製
sonarqube + linear

Convert quality-gate regressions into Linear tickets

Any project that flipped gate to FAIL today: create a P2 Linear issue assigned to the project lead.✓ 已複製
sonarqube + notion

Weekly quality report posted to Notion

Run the multi-project weekly quality digest; create a Notion page in 'Engineering / Quality / Weekly'.✓ 已複製

工具

此 MCP 暴露的能力

工具輸入參數何時呼叫成本
search_issues project_key, severities?, types?, branch?, since?, resolved? Main query tool for bugs/smells/vulns free
get_issue issue_key Drill into one issue's flows and changelog free
search_hotspots project_key, status?, branch? Security review workflows free
get_quality_gate_status project_key, branch? Gate check for CI/PR workflows free
list_projects organization? Discover projects in your org free
get_metrics project_key, metrics: str[], branch? Pull coverage, duplications, tech-debt ratio etc. free

成本與限制

運行它的成本

API 配額
SonarCloud: generous, undocumented (~hundreds req/min). Server: bounded by your infra.
每次呼叫 Token 數
Issue searches: 500–3000 tokens depending on page size.
費用
SonarQube Community is free. SonarCloud free for open-source; paid from ~$10/dev/mo.
提示
Use ps (page size) 100 and paginate; fetching all issues at once blows context and is slower.

安全

權限、密鑰、影響範圍

最小權限: Browse on the target project
憑證儲存: SONAR_TOKEN (user or project token) in env; SONAR_URL for on-prem
資料出站: Calls to sonarcloud.io or your SonarQube URL only
切勿授予: Administer Security Global Admin

故障排查

常見錯誤與修復

401 Unauthorized

SONAR_TOKEN missing or revoked. Regenerate in Sonar UI → Account → Security.

驗證: curl -u $SONAR_TOKEN: $SONAR_URL/api/authentication/validate
404 Component key not found

Project key is case-sensitive and differs from display name. Check project Dashboard URL param id=.

Branch not found

Sonar only keeps analyzed branches. Ensure your CI ran sonar-scanner with -Dsonar.branch.name=....

Empty results despite expected issues

Default filter may exclude resolved; pass resolved=false and sinceLeakPeriod=false explicitly.

替代方案

SonarQube 對比其他方案

替代方案何時用它替代權衡
CodeQL / GitHub Advanced SecurityYou're on GitHub and want code scanning integrated with PRsNarrower rule coverage for non-security issues
Semgrep MCPYou want fast, customizable static rules without a hosted platformNo dashboards / quality-gate concept out of the box

更多

資源

📖 閱讀 GitHub 上的官方 README

🐙 查看未解決的 issue

🔍 瀏覽全部 400+ MCP 伺服器和 Skills