SonarQube MCP server
SonarQube is a continuous code quality and security platform that performs static analysis to detect bugs, code smells, security vulnerabilities, and security hotspots across 30+ languages. With this MCP server, AI agents can search projects and issues, review and transition security hotspots, inspect quality gate status, pull source code with coverage and SCM blame, and manage webhooks — across both SonarQube Server (self-hosted) and SonarQube Cloud (SonarCloud).
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose.
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
SonarQube's Web API uses user token (Bearer) authentication — there is no OAuth client credentials or authorization code flow for the Web API. Generate a User-type token and pass it as a Bearer token in the Authorization header.
| Value | Setting |
|---|---|
| Auth type | API key (Bearer token) |
| Token header | Authorization: Bearer {your-token} |
| Base URL (SonarCloud EU) | https://sonarcloud.io |
| Base URL (SonarCloud US) | https://sonarqube.us |
| Base URL (Cloud API subdomain) | https://api.sonarcloud.io / https://api.sonarqube.us |
| Base URL (Server) | https://{your-sonarqube-host} |
Generating a token
SonarQube Cloud (SonarCloud):
- Sign in to SonarCloud and open the account menu (top-right avatar).
- Go to My Account > Security.
- Under Generate Tokens, enter a name, choose a token type, optionally set an expiration, and select Generate.
- Copy the token immediately — it is shown only once.
SonarQube Server:
- Sign in and go to User > My Account > Security.
- Under Generate Tokens, choose the User token type (required for Web API access), enter a name, optionally set an expiration, and select Generate.
- Copy the token immediately and store it securely.
A user token inherits all permissions of the user who created it. Scope tokens to a least-privileged service account, set an expiration, and rotate before expiry — responses include a SonarQube-Authentication-Token-Expiration header to help track this.
Available tools
This MCP server maps the SonarQube Web API operations exposed by the official SonarQube MCP server, covering projects, issues, security hotspots, measures, quality gates, source inspection, and administration.
| Tool | Purpose |
|---|---|
search_my_sonarqube_projects | Search projects/components you have access to |
list_pull_requests | List pull requests analyzed for a project |
search_sonar_issues_in_projects | Search issues across projects (bugs, vulnerabilities, code smells) |
change_sonar_issue_status | Transition an issue (accept, false positive, reopen) |
search_security_hotspots | Search security hotspots in a project |
show_security_hotspot | Get details for a specific security hotspot |
change_security_hotspot_status | Review and change a security hotspot's status |
list_languages | List programming languages supported by the instance |
search_metrics | Search available measure metrics |
get_file_coverage_details | Get source lines including test coverage details |
get_raw_source | Retrieve raw source code as text |
get_scm_info | Get SCM blame information for a file |
get_duplications | Get code duplication details for a file |
show_rule | Get detailed information about an analysis rule |
get_project_quality_gate_status | Get quality gate status for a project, branch, or PR |
list_quality_gates | List quality gates for the organization or instance |
create_webhook | Create a project or organization webhook |
list_webhooks | List webhooks for a project or organization |
get_system_health | Get instance health: GREEN, YELLOW, RED (Server only) |
get_system_info | Get detailed system configuration (Server only) |
get_system_logs | Download system logs (Server only) |
ping_system | Liveness check; returns pong |
get_system_status | Get instance state (STARTING, UP, DOWN, etc.) |
list_portfolios | Search portfolio views (Server) / enterprise portfolios (Cloud) |
search_dependency_risks | Search SCA dependency risks |
list_enterprises | List accessible enterprises (Cloud only) |
run_advanced_code_analysis | Submit a file for server-side advanced analysis, A3S (Cloud only) |
analyze_file_list | Analyze files via a running SonarQube for IDE instance |
toggle_automatic_analysis | Enable/disable automatic analysis in SonarQube for IDE |
analyze_code_snippet | Run local SonarLint analysis (uses rules, quality profiles, and plugins APIs) |
Tips
Use a least-privileged service account to issue tokens — a user token carries all of that user's permissions.
Set token expirations and rotate proactively using the SonarQube-Authentication-Token-Expiration response header.
Match the base URL to your deployment — SonarCloud EU (sonarcloud.io), SonarCloud US (sonarqube.us), or your self-hosted Server host. Some Cloud features (enterprises, SCA, advanced analysis) use the api. subdomain.
Mind Server vs. Cloud query differences — for example, issue search uses components on Server but componentKeys on Cloud, and system endpoints (health, info, logs) are Server-only.
Gate your pipelines on quality gate status — poll get_project_quality_gate_status to block merges or deploys when a project fails its gate.
Triage security hotspots and issues by severity and use status transitions to keep findings actionable.
Cequence AI Gateway