SonarQube & SonarCloud MCP. Run deep code analysis commands directly from your AI agent.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
The SonarQube & SonarCloud MCP Server connects deep static analysis directly to your AI client. It lets you query your entire code base for security flaws, technical debt metrics, and quality gate status without ever leaving chat or jumping through UIs.
Find bugs, see duplications, and check complex rules instantly.
What your AI agents can do
Get component tree
Maps out all files and directories in a SonarQube project, providing an overview of the component structure.
Get duplications
Calculates and retrieves blocks of duplicated code within a specific file, showing areas that need refactoring.
Get hotspots
Identifies sections of the project code flagged as high-risk security hotspots or manual review points.
Get a single status report on whether the entire project passes its required quality standards.
Search for codebase issues and security hotspots, filtering by severity like Critical or Blocker.
Pull key performance indicators (KPIs) like unit test coverage percentages and technical debt rates for a project.
Map out the entire file/directory hierarchy of a project to understand its architecture before coding.
Fetch annotated source code for specific files, including exact line numbers where issues were flagged.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
SonarQube & SonarCloud MCP Server: 9 Tools for Code Quality
These tools let your AI client perform deep code audits. They provide structured methods to find bugs, measure quality metrics, and map out complex project dependencies.
019d760bget component tree
Maps out all files and directories in a SonarQube project, providing an overview of the component structure.
019d760bget duplications
Calculates and retrieves blocks of duplicated code within a specific file, showing areas that need refactoring.
019d760bget hotspots
Identifies sections of the project code flagged as high-risk security hotspots or manual review points.
019d760bget measures
Gathers various code quality metrics for a project, like coverage and technical debt rate (Sqale Index).
019d760bget quality gate status
Checks the overall status of a project's Quality Gate in one call, telling you if it passed or failed.
019d760bget source code
Pulls annotated source code for any file, including line numbers and associated warnings.
019d760blist quality gates
List all quality gate definitions in SonarQube
019d760blist rules
Retrieves a list of all available analysis rules used by the SonarQube instance, optionally filtered by language.
019d760bsearch issues
Searches for code flaws across a project, allowing filtering by severity (Critical, Blocker, etc.).
019d760bsearch projects
Lists all projects available in the SonarQube/SonarCloud instance and retrieves their unique keys.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with SonarQube & SonarCloud, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
Listen up. The SonarQube & SonarCloud MCP Server connects your static analysis—the deep dive stuff from Sonar—right into your AI client. You don't gotta jump between tabs or mess with UIs just to check code quality or find a bug. It lets your agent query the whole codebase for security issues, tech debt metrics, and whether the project even passes its own standards.
Find bugs, spot duplication, and verify complex rules instantly.
Project Mapping and Structure. You can start by listing every available project in your SonarQube/SonarCloud instance using search_projects. To get a full picture of what you're working with, use get_component_tree; this maps out all files and directories in the entire project, giving you a complete overview of its architecture. You can also call list_rules to retrieve every available analysis rule used by your SonarQube instance, optionally narrowing that list down by programming language.
Code Quality Gate Status. Before you commit anything, you gotta know if it's good enough. Call get_quality_gate_status to check the project's overall status against its required quality standards in a single call; this tells you immediately if the gate passed or failed. If you need to see what gates even exist, use list_quality_gates.
Measuring Technical Debt and Coverage. You can pull key performance indicators (KPIs) using get_measures. This gathers various code quality metrics for a project, like unit test coverage percentages and the technical debt rate, which Sonar calls the Sqale Index. If you need to know what rules are available to check these measurements, you'll look at list_rules.
Finding Flaws and Security Holes. To find specific security flaws or code smells, call search_issues. This searches for codebase issues across the entire project and lets your agent filter those results by severity—you can drill down to Critical, Blocker, or whatever else you're worried about. For high-risk areas, use get_hotspots; this identifies specific sections of the code flagged as potential security weak spots or manual review points.
To find duplicated code that needs cleaning up, run get_duplications, and it calculates and retrieves blocks of repeated code within a specified file.
Deep Dive Forensics. When you spot an issue, you need proof. Use search_issues to pinpoint specific flaws by severity, then use get_source_code to pull the annotated source code for any file. This includes exact line numbers and all associated warnings flagged by SonarQube. You can also manually look at a project's core files using get_component_tree if you need to understand exactly which folder a specific issue belongs to, or use search_projects to confirm the unique key of the project you're investigating.
How it Works. Your AI client uses these tools to check your code. You can ask for a status report, and it will execute get_quality_gate_status. It pulls all the raw data needed—from component mapping via get_component_tree to specific flaw reports from search_issues—and hands it back in context. This means you're always working with real metrics, not just vague suggestions.
How SonarQube & SonarCloud MCP Works
- 1 Subscribe to the server and provide your SonarQube or SonarCloud base URL.
- 2 Inject your dedicated Sonar User API Token securely into the connection settings.
- 3 Use your AI client (Claude, Cursor, etc.) to call specific tools like
get_quality_gate_statusto run an immediate analysis.
The bottom line is you tell your agent what check you need—like running search_issues—and it executes the API calls using your credentials.
Who Is SonarQube & SonarCloud MCP For?
Any developer tired of context switching. This tool is essential for Software Engineers who are constantly dealing with pull request reviews, DevSecOps staff needing to audit compliance before deployment, and Tech Leads managing project technical debt across multiple services.
Uses get_source_code or search_issues when a PR fails review, demanding the exact line number and rule ID for a fix.
Runs get_hotspots and checks get_quality_gate_status before any merge to ensure no critical CVEs slip through.
Uses get_component_tree or get_duplications to audit the overall project health and assess architectural debt.
What Changes When You Connect
- Cut out context switching. Instead of jumping between the dashboard, the issues tab, and the source file to diagnose a merge failure, you ask your agent to run
get_quality_gate_statusand get the full result in one chat exchange. - Pinpoint security risks instantly. Need to know where the weak crypto is? Use
get_hotspots. It pinpoints the exact files and lines that need attention, letting you then useget_source_codefor a fix. - Track technical debt without manual reports. Forget running ad-hoc queries. Call
get_measuresto get current coverage and tech debt rates (Sqale Index) on demand. - Understand architecture before writing code. Use
get_component_treefirst. This gives you the full map of directories and files, helping you figure out if a new feature belongs in Module A or B. - Stop bad commits early. Before merging, check
search_issues. You can filter by Critical severity to ensure no blocker issues slip into the main branch.
Real-World Use Cases
Investigating a PR failure
A Pull Request fails CI because it has too many bugs. Instead of reading vague logs, you tell your agent to first run get_quality_gate_status. The response shows the gate failed due to 'Reliability' issues. You then prompt it: "What are the top 3 critical flaws?" which triggers search_issues and provides immediate remediation targets.
Auditing Project Duplication
A Tech Lead suspects a core module is bloated with repeated code. They ask the agent to list all components via get_component_tree, then focus on a key file and run get_duplications. The tool returns blocks of duplicated code, allowing the lead to plan a central refactor.
Compliance Check for CVEs
A DevSecOps engineer needs proof that a feature doesn't introduce known vulnerabilities. They run get_hotspots against the relevant service. The tool flags specific lines and rule IDs (e.g., S1452), giving the engineer precise details to update before approval.
Analyzing Technical Debt Impact
A team needs to justify refactoring a legacy module. They ask for the technical debt status and coverage using get_measures. The agent returns clear data points, like 'Tech Debt Rate: 14h 22min (Sqale Index)', providing quantifiable proof of work needed.
The Tradeoffs
Assuming one tool does it all
Asking the agent, "Fix all my bugs." This is too vague and doesn't tell the system where to look or what severity level matters.
→
You need a multi-step approach. First, run get_quality_gate_status to see why it failed. Then, use search_issues with a filter like 'Critical' and specify the project key to get actionable targets.
Ignoring component context
Running a broad search without knowing the file structure, resulting in thousands of irrelevant issues.
→
Start by calling get_component_tree first. This gives you the project map. Then, narrow your scope and use search_issues or get_hotspots against a specific component path.
Asking for code without context
Just saying "Show me the code." The agent doesn't know what code you mean.
→
Always specify both the file and the action. Use get_source_code on a specific path, like pages/api/submit.js, to get exactly what you need.
When It Fits, When It Doesn't
Use this MCP Server if your process involves combining data from multiple SonarQube views—specifically, when you need to check status (get_quality_gate_status), find flaws (search_issues), and see the underlying code/structure (get_source_code, get_component_tree) all in one go. This is ideal for PR reviews or pre-merge audits.
Don't use it if your only goal is a single, simple metric, like just checking unit test coverage. In that case, calling the direct API endpoint or using a dedicated monitoring dashboard might be faster. But when you need to connect those metrics (e.g., 'Coverage is low, so I need to check for duplications first'), this server is necessary.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by SonarQube. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Debugging code quality shouldn't require 8 different browser tabs.
Right now, finding a single Code Smell or checking if your latest commit actually passes the Quality Gate means jumping through hoops. You check the main dashboard for the status, then click into the 'Issues' tab to filter by severity, maybe opening another tab just to see which file is affected. It’s slow, and you lose context every time.
With this MCP server, that entire process collapses. Your agent runs `get_quality_gate_status` in one command. If it fails, you immediately follow up with `search_issues`, getting a filtered list of specific flaws—all without leaving your chat interface.
SonarQube & SonarCloud MCP Server: Deep Code Insight
Previously, finding the precise line number or understanding why duplication was flagged meant digging through raw API responses and manually cross-referencing files. You’d get a warning about 'high duplication,' but no easy way to see the code blocks causing it.
Now, you just ask for duplications on a file using `get_duplications`. The agent runs the check and returns exactly which lines are duplicated, letting you fix the issue instantly.
Common Questions About SonarQube & SonarCloud MCP
How do I know if my project is ready to merge? (using get_quality_gate_status) +
Run get_quality_gate_status first. This tool checks all configured rules and gives you a single, definitive pass/fail status for your target project.
I need to find critical security issues in my codebase. Should I use search_issues or get_hotspots? +
Use get_hotspots first; it identifies high-risk areas flagged by Sonar's rules. Then, use search_issues with a severity filter (Critical/Blocker) to find specific CVE details.
What is the best way to map out my entire project structure? +
Use get_component_tree. It gives you a full, hierarchical list of every file and directory in the project scope. This is your starting point for any large audit.
How do I check if there's duplicated code in a specific file? (using get_duplications) +
Run get_duplications and feed it the target file name. It will return all identified blocks of redundant code, helping you refactor efficiently.
Using `list_rules`, how can I view all the specific analysis rules applied to my codebase? +
It pulls a list of every defined rule. You can filter by language or severity level to see exactly what Sonar enforces on your project, helping you understand why certain code patterns fail checks.
If I need general metrics like coverage and technical debt, which metric keys should I use with `get_measures`? +
You pass a project key along with comma-separated metric keys. Use keys like coverage, sqale_index, or bugs to pull raw data points for deep analysis outside of the standard Quality Gate view.
Before running any other tool, how do I find the correct Project Key for a new repository using `search_projects`? +
Run search_projects with keywords or names. This returns the required unique project key and name needed to run almost every single analysis command in this server.
When I use `get_source_code`, how do I retrieve the full annotated text for a specific file? +
You must specify the exact file path. This tool pulls the raw source code lines directly from SonarQube, giving you the complete context and annotations needed to fix or refactor the code.
Can I connect this extension to my company's self-hosted, private SonarQube on-premise instance? +
Yes! The tool requires a SONAR_BASE_URL credential. If your company uses https://sonar.internal-corp.local:9000, the MCP traffic routes originating from your local desktop client to that exact internal instance seamlessly, guaranteeing total compatibility even inside VPNs.
How can the AI know how to fix a Sonar 'Code Smell' specifically? +
When the AI notices an identified smell from search_issues, it queries list_rules looking for the exact underlying Sonar rule ID definitions. Armed with the rigid logic rules enforced by SonarQube plus the get_source_code of your file, the LLM patches the snippet flawlessly.
Can it inspect duplication limits and technical debt logic? +
Yes. Ask the LLM to inspect technical debt by running get_measures providing 'sqale_index' metric. On the other hand, it can pull specific chunk references using the get_duplications command, helping you extract redundant code safely.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Cypress Cloud
Audit E2E testing via Cypress — monitor test runs, inspect spec instances, track flaky tests, and generate enterprise reports directly from any AI agent.
HashiCorp Nomad
Manage workloads and orchestration via Nomad — track jobs, nodes, and deployments directly from your AI agent.
LaunchDarkly
Manage LaunchDarkly feature flags, environments, assignments and deployments smoothly through conversational AI.
You might also like
ChannelApe
Manage inventory and order automation via ChannelApe — track stock, fulfill orders, and monitor suppliers directly from any AI agent.
Blockchain.com Data
Access real-time Bitcoin blockchain data via Blockchain.com — query blocks, transactions, and addresses directly from any AI agent.
Taboola
Manage Taboola advertising campaigns, ads, and performance reports directly from any AI agent.