# SonarCloud MCP

> SonarCloud MCP lets you bring professional static code analysis directly into your AI agent's conversation. Instead of opening dashboards or running manual checks, your agent queries project bugs, technical debt metrics, and security hotspots instantly. Use it to ensure the code structure is secure, compliant, and ready for production without leaving your editor.

## Overview
- **Category:** ship-it
- **Price:** Free
- **Tags:** static-analysis, code-quality, technical-debt, security-hotspots, ci-cd-pipeline, code-review

## Description

Stop switching between your IDE and a separate quality dashboard just to check if merging that pull request is safe. This MCP connects SonarCloud's industry-leading analysis tools straight into your AI agent. You can ask things like, "What's the current code coverage on the payment service?" and get an immediate answer with metrics. It lets you verify project bugs, assess technical debt, and check for security vulnerabilities—all through natural chat. The system ensures that any code written or reviewed by your agent adheres to your organization's strict CI/CD rules. Through Vinkius, this MCP makes SonarCloud's powerful analysis capabilities available wherever your AI client connects.

## Tools

### get_issue_details
Retrieves specific information about a single reported code quality issue.

### get_project_measures
Fetches various quality metrics, like coverage, for an entire project component using its key and metric name.

### get_analysis_status
Pulls the most recent status of a code analysis run for any given project.

### get_quality_gate_status
Checks if a project's quality gate passed or failed, providing an immediate pass/fail signal.

### list_project_components
Lists all files and directories that make up the components within a target project.

### list_organizations
Retrieves a list of organizations connected to your user account.

### search_issues
Searches the codebase for issues, allowing you to filter results by component key or severity level.

### search_projects
Locates and lists available projects within your SonarCloud account using an organization key filter.

### search_users
Searches for specific user accounts associated with the connected organization.

## Prompt Examples

**Prompt:** 
```
Fetch the quality gate status of the main monolith backend project in SonarCloud.
```

**Response:** 
```
Querying `get_quality_gate_status` for `monolito-backend-core`:
**Status: ERROR 🔴**

The Quality Gate failed because new code coverage dropped natively to 74% (against the 80% mandatory target) and 2 new code smells were introduced. Want me to dive deeper into `search_issues` to list the bad smells?
```

**Prompt:** 
```
List all registered organizations tied to my SonarCloud profile along with our connected users.
```

**Response:** 
```
Running organizational discovery (`list_organizations`) and user lookup (`search_users`).

**Organizations**:
- 🏢 `vinkius-global-labs` (Name: VinkiusLabs LLC)
- 🏢 `personal-dev-sandbox` (Name: Renan Sandbox Hub)

**Active Users under Global Scope**:
- `renato_admin` (Active)
- `carlos_dev` (Active)
- `samuel_ci_bot` (Service Account)

Let me know if you need specific details for one logical group alone.
```

**Prompt:** 
```
Pull all the 'Major' and 'Critical' open issues for the API backend service codebase.
```

**Response:** 
```
Accessing `search_issues` filtering dynamically for CRITICAL and MAJOR severities assigned to target `api-backend-srv`.

**Detected Issues (Filtered View):**
1. 🚨 **CRITICAL** (Bug): `NullPointerException` likely in `src/auth/tokenValidator.js` line 44 (Key: `AXb13k`)
2. 🚨 **CRITICAL** (Vulnerability): Hardcoded token visible in class `EmailMailer` at `src/services/mail.js` (Key: `AWz1L2`)
3. ⚠️ **MAJOR** (Code Smell): Cognitive complexity of `handleUserProcess()` exceeds tier 18 inside `controller.js` (Key: `AYx99m`)
```

## Capabilities

### Check Project Health Status
Use `get_quality_gate_status` to instantly check if a project passed all mandatory quality checks.

### Find Code Flaws and Vulnerabilities
Search for specific code quality issues using `search_issues` or get deep details on any finding with `get_issue_details`.

### Analyze Project Structure
Discover application projects via `search_projects` and map out the internal components of a codebase using `list_project_components`.

### Retrieve Key Metrics
Pull specific quality metrics, like code coverage percentages, for any project component using `get_project_measures`.

### Review Organization and Users
List all connected organizations with `list_organizations` or search for team members in your directory via `search_users`.

## Use Cases

### Reviewing a PR before Merge
A developer asks their agent, "What's the quality gate status for the API service?" The agent runs `get_quality_gate_status` and reports: 'ERROR. Code coverage dropped to 74% (below mandatory 80%). You need to fix this before merging.' This prevents a broken release cycle.

### Finding Hidden Vulnerabilities
A DevSecOps engineer wants to audit the authentication module. They tell their agent, "Find all CRITICAL vulnerabilities in `src/auth/`." The agent uses `search_issues` and immediately flags a hardcoded token found via `get_issue_details`, preventing a security breach.

### Assessing Project Scope
A Team Lead needs to know how many components are in the new payment service. They instruct their agent to use `list_project_components` to generate a full, accurate list of all files and directories for review.

### Mapping Organizational Access
A manager needs an overview of who can access which code base. They ask the agent to run `list_organizations` followed by `search_users`, generating a clean list of all connected entities and their active users.

## Benefits

- Stop digging through SonarCloud's UI. You ask your agent about `get_quality_gate_status` and get a clear pass/fail status without switching tabs.
- Never manually search for bugs again. Use `search_issues` to filter only for CRITICAL or MAJOR issues, giving you an actionable list immediately.
- Understand the full scope of your codebase by using `list_project_components` to map out every file and directory within a project's hierarchy.
- Know if your code is safe before merging. You can use `get_project_measures` to pull specific metrics, like coverage percentage, right in your chat window.
- Manage team visibility easily by listing all connected organizations with `list_organizations` or finding users via `search_users`.

## How It Works

The bottom line is that your AI client accesses SonarCloud's entire analysis suite without you needing to log into a single web dashboard.

1. Subscribe to this MCP within Vinkius and introduce your SonarCloud Security Token.
2. Tell your AI client the specific project or code base you want analyzed (e.g., 'Check the coverage for Project X').
3. Your agent runs the necessary checks, returning actionable data points like failure status or vulnerability counts directly in the chat.

## Frequently Asked Questions

**How do I use SonarCloud MCP to find security vulnerabilities?**
Use `search_issues` and filter by 'CRITICAL' severity, then call `get_issue_details` on the found issue. This lets you pull exact details on hardcoded tokens or other exposed flaws.

**Can SonarCloud MCP tell me if my code coverage is enough?**
Yes. You use `get_project_measures`, specifying 'coverage' as the metric key, to pull the current percentage for any project component and compare it against your required minimum.

**What do I need to link SonarCloud MCP?**
You must provide a valid SonarCloud Security Token during setup. This is how your agent gains permission to read your organization's data.

**Does the SonarCloud MCP support multiple projects?**
Yes, you can use `search_projects` to find all available project keys and then run checks like `get_quality_gate_status` against each one individually.