# SonarQube & SonarCloud MCP

> SonarQube & SonarCloud MCP brings professional code quality analysis directly into your AI agent's workflow. Stop hunting through browser tabs to find vulnerabilities, technical debt reports, or test coverage metrics. This MCP lets you diagnose complex codebase issues—from security hotspots to duplication ratios—using plain language queries against self-hosted or cloud static analysis results.

## Overview
- **Category:** ship-it
- **Price:** Free
- **Tags:** static-analysis, code-quality, bug-detection, technical-debt, on-premise, code-security

## Description

Diagnosing code flaws used to mean juggling multiple dashboards and context switches every time you needed a single metric. Now, you can connect your self-hosted SonarQube instance or SonarCloud dashboard right into your AI client through Vinkius. Your agent talks directly to the analysis engine. Instead of manually filtering logs or running complex CLI commands, you simply ask for details—like finding all Critical security issues across a project or checking if the Quality Gate passed. You can pull raw code lines from specific components, measure test coverage, and even audit which rules were enabled without ever leaving your chat window. It turns massive technical debt reports into simple conversational facts.

## Tools

### get_component_tree
Gets a full, structured list of all files and directories within the SonarQube project, along with key metrics for each component.

### get_duplications
Calculates the amount of repeated code blocks found in a specified file across the entire codebase.

### get_hotspots
Identifies and lists specific sections of code that carry elevated security risk or require manual human review.

### get_measures
Retrieves key metrics, such as test coverage percentages (branch/line) and technical debt index, for the entire project.

### get_quality_gate_status
Checks if a project has passed or failed its defined quality standards, returning a simple pass/fail status.

### get_source_code
Retrieves annotated source code lines from SonarQube for a specified file path.

### list_quality_gates
List all quality gate definitions in SonarQube

### list_rules
Provides a list of all analysis rules that are enabled and active on your organization's platform.

### search_issues
Searches for code issues across the project, allowing you to narrow results by severity (like Critical or Major).

### search_projects
Finds project keys and names across your entire organization's SonarQube or SonarCloud setup, which are required for most other functions.

## Prompt Examples

**Prompt:** 
```
Search our primary repository and give me the official Quality Gate diagnostic.
```

**Response:** 
```
Running checks on `backend-main-api` using `get_quality_gate_status`.
**Gate Result: OK 🟢**

The most recent static checks successfully validated. Thresholds for Reliability facing bugs and Security ratings are comfortably within standard tolerance boundaries.
```

**Prompt:** 
```
Run a test coverage and technical debt measure retrieval on all core services.
```

**Response:** 
```
Invoked `get_measures` spanning metric keys `coverage,sqale_index` across your `core-srv-module` baseline.

- **Branch Coverage**: 85.3%
- **Line Coverage**: 81.6%
- **Tech Debt Rate**: 14h 22min (Sqale Index)

Do you want me to search issues to drop technical debt in half?
```

**Prompt:** 
```
Tell me the precise component lines hitting security hotspot alerts.
```

**Response:** 
```
Executing `get_hotspots` against origin `frontend-app-portal`:

1. 🔴 **Vulnerability Risk Level 1** -> Located in `pages/api/submit.js` (Component File)
- **Rule ID**: S1452 (Unvalidated Redirect / SSRF potential)
- **Line Source Area**: ~ L: 47

2. 🔴 **Vulnerability Risk Level 1** -> Located in `utils/hasher.js`
- **Rule ID**: S2278 (Weak cryptographic algorithm used for generic salts)

I can retrieve lines specifically natively via `get_source_code` if you're ready to fix this token loop now.
```

## Capabilities

### Check Code Health Status
Your agent verifies the overall quality gate status or retrieves specific code metrics, like unit test coverage and complexity indexes.

### Hunt Security Flaws
You pinpoint exact security vulnerabilities by filtering issues based on severity (Critical, Blocker, Major) or finding manually marked security hotspots in the codebase.

### Map Code Structure and Debt
The system provides a hierarchical view of all files and directories in the project and calculates code duplication levels for specific components.

### Review Source Code Details
You retrieve raw, annotated source code lines or list all active analysis rules to understand exactly what was checked during the build process.

### Discover Projects and Components
The agent helps you find project keys and map out the entire component tree structure of your application.

## Use Cases

### Investigating PR Failures
A developer knows their merge failed because the Quality Gate didn't pass. They prompt their agent: 'What are the top three issues preventing merging on Project X?' The agent runs `search_issues`, finds a Critical issue, and pulls the relevant component details via `get_component_tree`.

### Pre-Audit of Legacy Code
A tech lead is assigned to an old service. They prompt: 'Show me all code duplication in the user authentication module.' The agent uses `get_duplications` and presents a report, instantly quantifying the technical debt before any work begins.

### Security Vulnerability Deep Dive
A DevSecOps engineer needs to confirm if a specific payment processing file has known security flaws. They ask the agent to run `get_hotspots` against the component, getting line numbers and rule IDs for immediate investigation.

### Reporting Technical Debt
A team lead needs to report on overall code quality during a quarterly review. They prompt: 'What is the current branch coverage and tech debt rate?' The agent runs `get_measures` and provides clear, quantifiable metrics.

## Benefits

- Stop wasting time context switching. You can ask your AI agent for the `get_quality_gate_status` directly, getting an immediate pass/fail report without opening a single browser tab.
- Pinpoint security risks instantly. Use `search_issues` to filter code flaws by severity level (Critical, Blocker) and immediately know where to focus your refactoring effort.
- Measure technical debt with precision. Running the `get_measures` tool gives you actionable numbers on test coverage and tech debt rates across core services.
- Understand the entire codebase structure using `get_component_tree`. This lets you audit project dependencies and map out every file before starting development.
- Deep dive into code flaws by running `get_hotspots`. You find exactly which lines of code need a human eye, saving time on false positives.

## How It Works

The bottom line is that you get instant access to data points previously locked behind multiple web dashboards and command-line interfaces.

1. Subscribe to this MCP in Vinkius, providing the necessary connection URL for your self-hosted or cloud SonarQube instance.
2. Securely inject your required API Token into your AI client's configuration and authorize the connection.
3. Use plain language prompts with your AI agent—for example, 'What is the quality gate status of project X?'—to execute deep analysis queries.

## Frequently Asked Questions

**How do I find out what projects are available in SonarQube with the SonarQube & SonarCloud MCP?**
You use the `search_projects` tool. This function scans your entire organization's setup and returns a list of project keys and names, which you then need to pass to other tools for analysis.

**Can I check if my code passed quality standards using SonarQube & SonarCloud MCP?**
Yes, run the `get_quality_gate_status` tool. It gives an immediate status update (Pass/Fail) on whether your current build meets all defined quality requirements.

**How does the SonarQube & SonarCloud MCP help with code duplication?**
You use the `get_duplications` tool. This analyzes a specific file and quantifies exactly how many blocks of code are duplicated across your project, helping you target refactoring efforts.

**What is the best way to find vulnerabilities using this MCP?**
Start by running `search_issues`, filtering results by Critical or Blocker severity. If you need more detail on a specific risk, use `get_hotspots`.

**Does the SonarQube & SonarCloud MCP require me to know API details?**
No. You only need plain English prompts directed at your agent. The agent handles calling the specific tools, like `get_measures`, using the required project keys in the background.