Sonarqube | AI Builder Hub Review & Alternatives | Flaex AI

VERIFIED

Sonarqube

Safety: 45/100

0.0(0)

Sonarqube MCP server allows interaction with Sonarqube instances for code quality analysis, project management, and rule customization, but this version is unmaintained.

MCP ServersDevelopmentProductivitySearch & WebFreemium

Boost this tool

Subscribe to listing upgrades or segmented pushes.

Overview

Sonarqube MCP server allows interaction with Sonarqube instances for code quality analysis, project management, and rule customization, but this version is unmaintained.

The Sonarqube MCP server can be safe for read-only operations with proper RBAC. However, write operations, especially with an unmaintained version, pose a moderate risk due to potential configuration changes and security vulnerabilities. Exercise caution and consider migrating to the official version.

Performance depends on the size of the Sonarqube instance and the complexity of the queries. Large projects or complex rules may impact response times.

Cost is primarily associated with the Sonarqube license and the resources required to run the Sonarqube instance. API usage is generally free but may be subject to rate limits.

java100 starsReleased 10/21/2025CI/CD

Connections & Capabilities

Connects To

GitHub

Capabilities

ReadWriteAdmin

Client Compatibility

Claude Desktop

full

Cursor

untested

Windsurf

untested

VS Code (Copilot)

untested

Quickstart

Claude Desktop Config

{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": ["-y", "sonarqube-mcp-server@latest"],
      "env": {
        "SONARQUBE_URL": "https://sonarcloud.io",
        "SONARQUBE_TOKEN": "your-token-here",
        "SONARQUBE_ORGANIZATION": "your-org (for SonarCloud)"
      }
    }
  }
}

Environment Variables

SONARQUBE_URLSONARQUBE_TOKENSONARQUBE_ORGANIZATIONTRANSPORTLOG_FILELOG_LEVELNODE_ENVNODE_OPTIONS

Tools (4)

safe

get_project_status

Retrieves the current status and quality gate results for a specified project.

Read-only operation, no modification of data.

high

update_quality_profile

Modifies an existing quality profile by adding or removing rules.

Changes the configuration of code analysis rules.

moderate

create_project

Creates a new project within the Sonarqube instance.

Creates new entities within the system.

critical

delete_project

Deletes a project and its associated data from Sonarqube.

Destructive operation that permanently removes data.

Security

Auth Method

API Key

Scopes

project administrationquality profile managementuser managementissue management

Known Risks

!Unmaintained code base may contain unfixed security vulnerabilities.
!Improperly configured write access can lead to accidental or malicious changes to Sonarqube settings.
!Exposure of API keys can grant unauthorized access to Sonarqube instance.
!Lack of input validation could lead to injection attacks.

Safety Score

moderate risk

Positive

+Role-Based Access Control (RBAC) for permission management.
+API key authentication for controlled access.
+Potential for read-only access depending on configuration.

Risks

-Unmaintained status increases vulnerability risk.
-Write operations can modify Sonarqube configuration.
-Potential for sensitive data exposure if not configured correctly.
-Lack of sandboxing could lead to unintended consequences from write operations.

Use Cases

Code Quality Analysis

-Automated code review
-Identifying potential bugs and vulnerabilities
-Enforcing coding standards
-Tracking code quality metrics over time

Project Management

-Creating and managing Sonarqube projects
-Configuring quality gates
-Assigning users and permissions
-Integrating with CI/CD pipelines

Rule Customization

-Creating custom rules
-Modifying existing rules
-Activating and deactivating rules
-Defining quality profiles

Who Is This For?

Best For

Teams using Sonarqube for code quality analysis.
Organizations needing to automate Sonarqube project management tasks.
Developers who want to customize Sonarqube rules and quality profiles.
Integrating Sonarqube into CI/CD pipelines.

Not Ideal For

Environments where security is paramount due to the unmaintained status.
Organizations without a dedicated Sonarqube instance.
Users who require a fully sandboxed or isolated environment.

Autonomy & Execution

Default ModeConfigurable

Destructive Tools

Autonomy depends on the configured permissions and the specific tool being used. Destructive tools are available, so caution is advised.

StatelessYes

Retry LogicNot documented

ConcurrencyNot documented

Production Tip

Monitor API usage and error rates to ensure stable operation and prevent unexpected issues.

FAQ

Is this server officially supported by SonarSource?

No, this project is no longer maintained. Refer to the official version.

What are the security implications of using an unmaintained server?

The server may contain unfixed vulnerabilities, increasing the risk of security breaches.

How do I authenticate with the Sonarqube API?

You can authenticate using an API key generated within your Sonarqube account.

Can I use this server to delete projects in Sonarqube?

Yes, but exercise extreme caution as this is a destructive operation.

Does this server support dry-run mode?

No, dry-run mode is not supported.

What level of access should I grant to the API key?

Grant only the necessary permissions to minimize the potential impact of a compromised key.

Where can I find the official Sonarqube MCP server?

The official version is located at [sonarqube-mcp-server](https://github.com/SonarSource/sonarqube-mcp-server).

Key Features

Development Productivity Search & Web

Metrics

Discovered2/14/2026

Reviews0

Saved By0 users

Sonarqube

Overview

Connections & Capabilities

Connects To

Capabilities

Client Compatibility

Quickstart

Claude Desktop Config

Environment Variables

Tools (4)

Security

Safety Score

Positive

Risks

Use Cases

Code Quality Analysis

Project Management

Rule Customization

Who Is This For?

Best For

Not Ideal For

Autonomy & Execution

FAQ

Is this server officially supported by SonarSource?

What are the security implications of using an unmaintained server?

How do I authenticate with the Sonarqube API?

Can I use this server to delete projects in Sonarqube?

Does this server support dry-run mode?

What level of access should I grant to the API key?

Where can I find the official Sonarqube MCP server?

Key Features

Metrics

Related Tools