io.github.SonarSource/sonarqube-mcp-server

io.github.SonarSource/sonarqube-mcp-server·v1.18.1·Security

An MCP server that enables integration with SonarQube Server or Cloud for code quality and security.

Trust verdict · v1 advisory · method

REVIEWstatus: PARTIALfresh until 2026-06-01 06:24 UTC

screened 2026-06-01tier: scannedgranularity: description-levelsource: registry

Semantic screen found no manipulation pattern in the description. Conformance probe not yet run.

mcpindex.integrity.descriptionpassINFO

evidence“No malicious instructions”via static_description

Limits of this verdict

- Semantic screen only - the deterministic conformance probe has not run on this server
- Confidence is reported but not yet calibrated (v1)
- Screen reads the tool description, not the live behavior
- advisory
- registry description only no input schema

Semantic screen: an LLM judge reads the tool description for hidden instructions (status PARTIAL). A pass means the description is not lying, not that the tool is safe: a high-capability tool with an honest description still warrants caution. The deterministic conformance probe has not been run on this server yet, so the screen here is semantic-only. Posture: advisory. Confidences are reported but not yet calibrated (calibrated=false at v1). History is paid-tier and not shown here.

Own this server? Screen its description →

Embed this badge

A live verdict badge for your README or listing. It reflects the current screen, links back here, and updates when the verdict does.

Markdown

[![mcpindex](https://mcpindex.ai/api/v1/badge/io-github-sonarsource-sonarqube-mcp-server)](https://mcpindex.ai/server/io-github-sonarsource-sonarqube-mcp-server)

HTML

<a href="https://mcpindex.ai/server/io-github-sonarsource-sonarqube-mcp-server"><img src="https://mcpindex.ai/api/v1/badge/io-github-sonarsource-sonarqube-mcp-server" alt="mcpindex verdict" height="20" /></a>

Environment variables

SONARQUBE_TOKEN

requiredsecret

Your SonarQube USER token

SONARQUBE_ORG

secret

Your SonarQube Cloud organization key (if using SonarQube Cloud)

SONARQUBE_URL

secret

Your SonarQube Server URL (if using SonarQube Server)

MCP quality score · maturity, not trust · methodology

freshness

completeness

installability

documentation

stability

Alternatives in Security

ai.dynamicfeed/dynamic-feed

87 keyless tools of live, verifiable data for AI: weather, hazards, space, CVEs. Ed25519-signed.

Helixar Security

ai.helixar/mcp

Security tools for AI agents: scan MCP servers, validate HDP delegation chains, audit releases.

RFP.ai

ai.rfp/rfp-ai

Draft cited RFP and security questionnaire answers from your knowledge base, with human review

Install

Claude Desktop (Docker)

{
  "mcpServers": {
    "sonarqube-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "docker.io/mcp/sonarqube:latest"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<your-sonarqube_token>",
        "SONARQUBE_ORG": "<your-sonarqube_org>",
        "SONARQUBE_URL": "<your-sonarqube_url>"
      }
    }
  }
}

Verdict API

curl -s mcpindex.ai/api/v1/trust/server/io-github-sonarsource-sonarqube-mcp-server

Free-tier verdict as JSON: decision + dimensions + severity. Call it from your agent before it invokes a tool it just discovered.

Details

version: v1.18.1
category: Security
verdict expires: 2026-06-01
quality: 85 / 100
operator: SonarSource

Provenance

Verdict history is anchored to Bitcoin via OpenTimestamps. The free tier returns the current verdict only; the anchored record is served on the authenticated tier.

Links

Repository →