Model Context Protocol moderate risk

Fastmcp Sonarqube Metrics

Provides tools to interact with SonarQube via FastMCP, enabling programmatic access to metrics, project management, and issue retrieval for analysis and reporting.

Connections & Capabilities

Connects To

GitHub

Capabilities

readwriteadmin

Quickstart

Install

pip install fastmcp

Config

{
    "mcpServers": {
        "fastmcp-sonarqube-metrics": {
            "command": "uv",
            "args": [
                "--directory",
                "/ABSOLUTE/PATH/TO/PARENT/FOLDER/fastmcp-sonarqube-metrics",
                "run",
                "server.py"
            ]
        }
    }
}

Exposed MCP Tools (8)

safe

get_status

Performs a health check on the configured SonarQube instance.

Read-only operation, no side effects.

moderate

create_sonarqube_project

Creates a new SonarQube project.

Requires administrator privileges, but creates a new resource.

critical

delete_sonarqube_project

Deletes a SonarQube project.

Destructive operation, irreversible data loss.

safe

list_projects

Lists all accessible SonarQube projects, optionally filtered by name or key.

Read-only operation, no side effects.

safe

get_sonarqube_metrics

Retrieves specified metrics for a given SonarQube project key.

Read-only operation, no side effects.

safe

get_sonarqube_metrics_history

Retrieves historical metrics for a given SonarQube project.

Read-only operation, no side effects.

safe

get_sonarqube_component_tree_metrics

Retrieves metric values for all components in a project.

Read-only operation, no side effects.

safe

get_project_issues

Fetch SonarQube issues for a given project, optionally filtered by type, severity, and resolution status.

Read-only operation, no side effects.

Safety Assessment

This server provides both read and write access to SonarQube data. While the use of API tokens and privilege separation improves security, the project deletion tool and potential for information disclosure require careful management and monitoring. It's safe to use for read-only operations and project creation with proper access controls, but risky when deleting projects or handling sensitive data without adequate precautions.

Uses API token for authentication.
Clear separation of read and write operations.
Some tools require administrator privileges, limiting access.
No direct filesystem access.

API token compromise could lead to unauthorized access.
Project deletion tool requires caution.
Potential for information disclosure if not properly configured.
Lack of input validation could lead to unexpected behavior.