Model Context Protocol moderate risk

Sonarqube

Sonarqube MCP server allows interaction with Sonarqube instances for code quality analysis, project management, and rule customization, but this version is unmaintained.

Connections & Capabilities

Connects To

GitHub

Capabilities

readwriteadmin

Quickstart

Config

{
  "mcpServers": {
    "sonarqube": {
      "command": "npx",
      "args": ["-y", "sonarqube-mcp-server@latest"],
      "env": {
        "SONARQUBE_URL": "https://sonarcloud.io",
        "SONARQUBE_TOKEN": "your-token-here",
        "SONARQUBE_ORGANIZATION": "your-org (for SonarCloud)"
      }
    }
  }
}

Exposed MCP Tools (4)

safe

get_project_status

Retrieves the current status and quality gate results for a specified project.

Read-only operation, no modification of data.

high

update_quality_profile

Modifies an existing quality profile by adding or removing rules.

Changes the configuration of code analysis rules.

moderate

create_project

Creates a new project within the Sonarqube instance.

Creates new entities within the system.

critical

delete_project

Deletes a project and its associated data from Sonarqube.

Destructive operation that permanently removes data.

Safety Assessment

The Sonarqube MCP server can be safe for read-only operations with proper RBAC. However, write operations, especially with an unmaintained version, pose a moderate risk due to potential configuration changes and security vulnerabilities. Exercise caution and consider migrating to the official version.

Role-Based Access Control (RBAC) for permission management.
API key authentication for controlled access.
Potential for read-only access depending on configuration.

Unmaintained status increases vulnerability risk.
Write operations can modify Sonarqube configuration.
Potential for sensitive data exposure if not configured correctly.
Lack of sandboxing could lead to unintended consequences from write operations.