SonarQube MCP — Use Cases, Install & Live Demo

Why use it

Key features

Issues: bugs, vulnerabilities, code smells — filterable by many facets
Security Hotspots with review status
Quality Gate status per project and per branch
New-code vs overall metrics (tech-debt ratio, coverage, duplications)
Works against SonarQube Server (self-hosted) and SonarCloud

Live Demo

What it looks like in practice

sonarqube.replay ▶ ready

0/0

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "sonarqube",
      "command": "npx",
      "args": [
        "-y",
        "sonarqube-mcp-server"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json

{
  "context_servers": {
    "sonarqube": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "sonarqube-mcp-server"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add sonarqube -- npx -y sonarqube-mcp-server

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use SonarQube

Triage new SonarQube issues on a PR before review

👤 Reviewers who want to focus on humans, not lint ⏱ ~15 min beginner

When to use: A PR has 15 new Sonar findings. You want a 30-second summary: what's must-fix vs nitpick.

Prerequisites

Sonar token with Execute Analysis + Browse — Sonar UI → Account → Security → Generate token
Project key — Sonar project URL: /dashboard?id=<key>

Flow

Pull new-code issues for the branch

List issues for project <key>, branch <pr-branch>, sinceLeakPeriod=true. Group by severity.✓ Copied

→ New findings grouped
Classify fix-worthiness

For each BLOCKER/CRITICAL, show the file:line and rule. Mark which look like real bugs vs noise.✓ Copied

→ Triage list
Draft fix suggestions

For the real bugs, fetch the source snippet via the filesystem MCP and propose a minimal patch for each.✓ Copied

→ Per-issue diff suggestions

Outcome: A 1-screen PR triage with exactly the 3 things the reviewer should care about.

Pitfalls

Low-severity 'smells' drown out real bugs — Always filter severities to BLOCKER,CRITICAL,MAJOR for triage; MINOR/INFO in a separate batch

Combine with: github · filesystem

Generate a weekly quality-trend report across projects

👤 Engineering managers ⏱ ~25 min intermediate

When to use: Monday morning: where is tech debt trending across our 12 services?

Flow

List projects and gate status

List all projects with quality gate status. Flag any project that went from PASS to FAIL this week.✓ Copied

→ Regressions highlighted
Summarize hotspots and new bugs

For each failing project, pull open security hotspots and new bugs from the last 7 days. Top 3 per project.✓ Copied

→ Actionable issue list per project
Format as a Markdown digest

Produce a markdown report: section per project, table of new bugs/hotspots, coverage delta.✓ Copied

→ Report ready to post

Outcome: A weekly quality digest for your leadership review — consistent format every week.

Pitfalls

Projects with auto-generated code pollute the report — Exclude them via Sonar's sonar.exclusions; don't filter in the LLM — fix upstream

Combine with: notion

Review and triage security hotspots with context

👤 Appsec / security-champ engineers ⏱ ~45 min advanced

When to use: Quarterly security review: have all TO_REVIEW hotspots been decisioned?

Flow

List unreviewed hotspots

List hotspots with status TO_REVIEW for project <key>. Group by rule (e.g. sql-injection, xss).✓ Copied

→ Queue by category
Pull code context

For each hotspot, fetch the source snippet (±10 lines). Judge whether it's a real risk or safe-by-context.✓ Copied

→ Per-hotspot safe/risky verdict with reasoning
Apply decisions

For 'safe' hotspots, propose a resolution comment. I'll review batches of 5 and approve; then we'll apply.✓ Copied

→ Decision batches ready to apply

Outcome: A cleaned-up hotspot queue with auditable reasoning per decision.

Pitfalls

Mass-resolving without code context is dangerous — Always require Claude to cite the exact line(s) before marking safe

Combine with: filesystem · github

Pre-flight check: will this PR fail the quality gate?

👤 Developers pushing a PR ⏱ ~15 min intermediate

When to use: Before opening PR: did I introduce coverage drops or new blockers?

Flow

Kick off analysis (outside MCP) and wait

Remind me to run sonar-scanner with branch=<pr-branch> locally. After it completes, I'll come back.✓ Copied

→ Analysis ID for this branch
Read branch gate status

Get quality gate status for branch <pr-branch> in project <key>. Show each condition + actual vs threshold.✓ Copied

→ Per-condition PASS/FAIL table
Focus on failing conditions

For each failing condition, list the top 5 contributing issues/files. Suggest one change per item.✓ Copied

→ Concrete fix list

Outcome: Know exactly which rule fails CI before you open the PR.

Pitfalls

Local analysis branch name doesn't match CI's — Pass -Dsonar.branch.name=<exact ci branch> explicitly

Combine with: github

Build a prioritized tech-debt backlog from Sonar data

👤 Tech leads planning a debt-paydown sprint ⏱ ~30 min intermediate

When to use: You have a sprint budget for tech debt; you want to pick the highest-ROI items.

Flow

Pull all open issues with effort + severity

For project <key>, pull open issues with effort (minutes) and severity. Exclude MINOR/INFO.✓ Copied

→ Issue set with effort data
Cluster by file and rule

Group issues by (file, rule). Sum effort per group. Rank top 20 groups — these are the fix-once-fix-many opportunities.✓ Copied

→ ROI-ranked groups
Turn top 10 into Linear tickets

For each of the top 10, create a Linear issue titled 'Refactor <file> to resolve N× <rule>' with estimated hours.✓ Copied

→ Tickets created + URLs

Outcome: A sprint-ready debt backlog sorted by actual cost-to-impact.

Pitfalls

Effort estimates are static — they don't reflect your team's velocity — Treat Sonar effort as relative; multiply by your team's calibration factor

Combine with: linear

Combinations

Pair with other MCPs for X10 leverage

sonarqube + github

Auto-comment Sonar triage on GitHub PRs

For PR #342, pull Sonar new-code issues for that branch, summarize critical ones, post as a PR review comment.✓ Copied

sonarqube + linear

Convert quality-gate regressions into Linear tickets

Any project that flipped gate to FAIL today: create a P2 Linear issue assigned to the project lead.✓ Copied

sonarqube + notion

Weekly quality report posted to Notion

Run the multi-project weekly quality digest; create a Notion page in 'Engineering / Quality / Weekly'.✓ Copied

Tools

What this MCP exposes

Tool	Inputs	When to call	Cost
search_issues	project_key, severities?, types?, branch?, since?, resolved?	Main query tool for bugs/smells/vulns	free
get_issue	issue_key	Drill into one issue's flows and changelog	free
search_hotspots	project_key, status?, branch?	Security review workflows	free
get_quality_gate_status	project_key, branch?	Gate check for CI/PR workflows	free
list_projects	organization?	Discover projects in your org	free
get_metrics	project_key, metrics: str[], branch?	Pull coverage, duplications, tech-debt ratio etc.	free

Cost & Limits

What this costs to run

API quota: SonarCloud: generous, undocumented (~hundreds req/min). Server: bounded by your infra.
Tokens per call: Issue searches: 500–3000 tokens depending on page size.
Monetary: SonarQube Community is free. SonarCloud free for open-source; paid from ~$10/dev/mo.
Tip: Use ps (page size) 100 and paginate; fetching all issues at once blows context and is slower.

Security

Permissions, secrets, blast radius

Minimum scopes: Browse on the target project

Credential storage: SONAR_TOKEN (user or project token) in env; SONAR_URL for on-prem

Data egress: Calls to sonarcloud.io or your SonarQube URL only

Never grant: Administer Security Global Admin

Use a token scoped to Browse + Execute Analysis; admin tokens can re-configure rules.
Project tokens are preferable to user tokens for CI integrations.

Troubleshooting

Common errors and fixes

401 Unauthorized

SONAR_TOKEN missing or revoked. Regenerate in Sonar UI → Account → Security.

Verify: curl -u $SONAR_TOKEN: $SONAR_URL/api/authentication/validate

404 Component key not found

Project key is case-sensitive and differs from display name. Check project Dashboard URL param id=.

Branch not found

Sonar only keeps analyzed branches. Ensure your CI ran sonar-scanner with -Dsonar.branch.name=....

Empty results despite expected issues

Default filter may exclude resolved; pass resolved=false and sinceLeakPeriod=false explicitly.

Alternatives

SonarQube vs others

Alternative	When to use it instead	Tradeoff
CodeQL / GitHub Advanced Security	You're on GitHub and want code scanning integrated with PRs	Narrower rule coverage for non-security issues
Semgrep MCP	You want fast, customizable static rules without a hosted platform	No dashboards / quality-gate concept out of the box

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills