sonarqube-mcp-server
Verified Safeby SonarSource
Overview
The SonarQube MCP Server enables seamless integration with SonarQube Server or Cloud for code quality and security analysis, including direct code snippet analysis within an agent context.
Installation
docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG mcp/sonarqubeEnvironment Variables
- SONARQUBE_TOKEN
- SONARQUBE_ORG
- SONARQUBE_URL
- STORAGE_PATH
- SONARQUBE_TRANSPORT
- SONARQUBE_HTTP_PORT
- SONARQUBE_HTTP_HOST
- SONARQUBE_HTTP_AUTH_MODE
- SONARQUBE_IDE_PORT
Security Notes
The server demonstrates robust security practices including session-to-token mapping with TTL, explicit token validation to prevent hijacking, and comprehensive CORS/Origin header checks to mitigate DNS rebinding attacks. It gracefully handles unimplemented authentication modes (e.g., OAuth). A minor concern is the use of 'sonarlint' as a default hardcoded keystore password for HTTPS, though it is configurable and a warning is logged when binding to all interfaces.
Similar Servers
easy-code-reader
Provides a Model Context Protocol (MCP) server for AI assistants to intelligently read Java source code from local projects and Maven dependencies, supporting decompilation and multi-module analysis.
VibeShift
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
mcp-zap-server
Exposes OWASP ZAP security scanning functionalities as Model Context Protocol (MCP) tools, enabling AI agents to orchestrate security assessments and report generation.
athena-protocol
This server acts as an AI tech lead, providing expert validation, impact analysis, and strategic guidance to AI coding agents before code changes are made.