sonarqube-api-mcp
Read-only MCP server that exposes SonarQube Web API tools for issue retrieval, quality gate status, and source context, enabling coding agents to fix code issues.
README
sonarqube-api-mcp
Docker-free SonarQube MCP server for read-only access to the SonarQube Web API.
Run it with:
npx sonarqube-api-mcp
Requirements
- Node.js 20+
- SonarQube token with permission to browse the target project
- No Docker
This package uses the public SonarQube Web API only. It does not use private SonarQube UI GraphQL endpoints.
It is designed for coding-agent workflows like:
- "fix all new code issues"
- "fix all overall code issues"
- "fix issues for this SonarQube project name"
The server stays read-only: it fetches SonarQube issues, source context, rule details, and quality data so the calling agent can edit the checked-out repository.
Configuration
Configure the server entirely through environment variables in mcp.json.
| Variable | Required | Description |
|---|---|---|
SONAR_HOST_URL |
Yes | SonarQube base URL. Trailing slashes are normalized. |
SONAR_TOKEN |
Yes | SonarQube token. Sent as Basic Auth using Authorization: Basic base64("${SONAR_TOKEN}:"). |
SONAR_PROJECT_KEY |
No | Default project key used by project-scoped tools when projectKey and projectName are omitted. |
Startup fails clearly when SONAR_HOST_URL or SONAR_TOKEN is missing.
Published package usage
{
"mcpServers": {
"sonarqube": {
"command": "npx",
"args": ["-y", "sonarqube-api-mcp"],
"env": {
"SONAR_HOST_URL": "https://sonarqube.yourcompany.com",
"SONAR_TOKEN": "YOUR_SONAR_TOKEN",
"SONAR_PROJECT_KEY": "hvmb-app"
}
}
}
}
Local package development
Build first:
npm install
npm run build
Then point your MCP client at the compiled entrypoint:
{
"mcpServers": {
"sonarqube-local": {
"command": "node",
"args": ["/absolute/path/to/sonarqube-api-mcp/dist/index.js"],
"env": {
"SONAR_HOST_URL": "https://sonarqube.yourcompany.com",
"SONAR_TOKEN": "YOUR_SONAR_TOKEN",
"SONAR_PROJECT_KEY": "hvmb-app"
}
}
}
}
Default project key
Set SONAR_PROJECT_KEY once and omit projectKey from project-scoped tool calls.
{
"mcpServers": {
"sonarqube": {
"command": "npx",
"args": ["-y", "sonarqube-api-mcp"],
"env": {
"SONAR_HOST_URL": "https://sonarqube.yourcompany.com",
"SONAR_TOKEN": "YOUR_SONAR_TOKEN",
"SONAR_PROJECT_KEY": "hvmb-app"
}
}
}
}
Example tool input:
{
"resolved": false,
"severities": ["BLOCKER", "CRITICAL"]
}
Per-tool project override
Every project-scoped tool accepts projectKey or projectName, which override SONAR_PROJECT_KEY for that call.
{
"projectKey": "another-project",
"branch": "main",
"metricKeys": ["coverage", "bugs", "vulnerabilities"]
}
If your infrastructure creates a SonarQube project per branch, pass the SonarQube project name directly:
{
"projectName": "repo-name-feature-branch",
"scope": "new_code"
}
If a name matches multiple projects, the tool returns candidates and asks the caller to retry with projectKey.
Tools
search_sonar_projects
Searches /api/projects/search to find project keys by SonarQube project name or key.
Inputs:
queryoptional stringpageSizeoptional number, defaults to100
get_sonar_fix_plan
Gets unresolved issues grouped by file for agentic fixing workflows.
Use this for prompts like "fix all new code issues" or "fix all overall code issues".
Inputs:
projectKeyoptional, falls back toSONAR_PROJECT_KEYprojectNameoptional, resolved through/api/projects/searchscopeoptional,new_codeoroverall, defaults tonew_codebranchoptionalpullRequestoptionalseveritiesoptional string arraystatusesoptional string arraytypesoptional string arrayimpactSeveritiesoptional string array for newer SonarQube versionsimpactSoftwareQualitiesoptional string array for newer SonarQube versionspageSizeoptional number, defaults to100maxIssuesoptional number, defaults to200includeSourceoptional boolean, defaults totrueincludeRulesoptional boolean, defaults tofalsecontextLinesoptional number, defaults to5
Example for new code:
{
"projectName": "hvmb-app-feature-branch",
"scope": "new_code",
"includeSource": true,
"includeRules": true
}
Example for overall code:
{
"projectKey": "hvmb-app",
"scope": "overall",
"maxIssues": 500
}
Returns clean JSON with:
- resolved project identity
- issue count and truncation flag
- optional rule details keyed by rule key
- files sorted by issue count
- issues per file
- merged source ranges around affected lines
get_sonar_issue_context
Gets one issue plus surrounding source lines and optional rule details.
Inputs:
issueKeyrequiredbranchoptionalpullRequestoptionalcontextLinesoptional number, defaults to5includeRuleoptional boolean, defaults totrue
search_sonar_issues
Searches /api/issues/search and handles pagination.
Inputs:
projectKeyoptional, falls back toSONAR_PROJECT_KEYprojectNameoptional, resolved through/api/projects/searchbranchoptionalpullRequestoptionalseveritiesoptional string arraystatusesoptional string arraytypesoptional string arrayimpactSeveritiesoptional string array for newer SonarQube versionsimpactSoftwareQualitiesoptional string array for newer SonarQube versionsinNewCodePeriodoptional booleanresolvedoptional boolean, defaults tofalsepageSizeoptional number, defaults to100
Returns clean JSON with issue key, rule, severity, type, message, component, filePath, line, textRange, effort, status, and tags.
get_quality_gate_status
Calls /api/qualitygates/project_status.
Inputs:
projectKeyoptional, falls back toSONAR_PROJECT_KEYprojectNameoptional, resolved through/api/projects/searchbranchoptionalpullRequestoptional
get_rule_details
Calls /api/rules/show.
Inputs:
ruleKeyrequired
get_component_measures
Calls /api/measures/component.
Inputs:
projectKeyoptional, falls back toSONAR_PROJECT_KEYprojectNameoptional, resolved through/api/projects/searchmetricKeysrequired string arraybranchoptionalpullRequestoptional
get_sonar_sources
Calls /api/sources/lines.
Inputs:
componentrequiredfromoptional numbertooptional numberbranchoptionalpullRequestoptional
Errors
SonarQube API errors are wrapped as JSON strings containing:
endpointstatusmessage
HTML error pages are never returned directly.
Development
npm install
npm run build
prepublishOnly runs the build before publishing.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.