Read-only access to the SonarQube Web API through the managed gateway. Six MCP
tools cover the common "inspect code quality" surface: search_issues,
search_hotspots, get_component_measures, get_quality_gate_status,
search_projects, and get_source. All are gated by a single sonar:read
scope.
Authentication
SonarQube has no IdP-passthrough or token-exchange path for its Web API — it
accepts only native SonarQube tokens. This connector therefore uses a single
static service-account token (a SonarQube user token / PAT), sent as
Authorization: Bearer <token>. Every call is attributed to that account at
SonarQube; PolicyArc still enforces per-user authorization at the gateway via
the sonar:read scope and policy.
The token's user needs Browse permission on the projects you want to
inspect.
Requirements
- SonarQube Server ≥ 9.9 LTS (including all Community Build / 2025.x /
2026.x lines) or SonarQube Cloud. These document
Authorization: Bearer
for the Web API. Server ≤ 8.9 LTS (which only accepts the token as the HTTP
Basic username) is not supported.
- No paid edition required. All six endpoints work on Community Edition.
Branch/PR-scoped queries (a Developer Edition+ feature) are intentionally not
exposed; on Community Edition, queries resolve against the main branch.
Setup
base_url — SonarQube Cloud: leave as https://sonarcloud.io. SonarQube
Server: your instance host, e.g. https://sonar.example.com.token_env — a secret holding the SonarQube user token.
SonarQube Cloud: the organization parameter
SonarQube Cloud requires an organization key on most Web API calls; SonarQube
Server does not have organizations. This connector exposes organization as an
optional per-call tool input — Cloud callers pass it on each call, Server
callers omit it. (Tell your agent the org once in its instructions.)
Troubleshooting
- 401 Unauthorized — the configured token is missing, invalid, or expired.
- 403 Forbidden — the token's user lacks Browse permission on the
requested project.
Manifest reference
- ID:
identos.sonarqube
- Version:
1.0.0
- Resource type:
urn:connector:identos:sonarqube
- Capabilities:
mcp
Supported auth modes
| Type | Details |
|---|
static | scheme bearer; setup fields: token_env |
Setup fields
| ID | Label | Default | Secret? | Notes |
|---|
base_url | SonarQube base URL | https://sonarcloud.io | no | placeholder: https://sonar.example.com / SonarQube Cloud: leave as https://sonarcloud.io. SonarQube Server: your instance host (e.g. https://sonar.example.com). |
token_env | SonarQube token | — | yes | Pick a secret containing a SonarQube user token. Sent as Authorization: Bearer <token>. The token's user needs Browse permission on the inspected projects. Requires Server >= 9.9 LTS or SonarQube Cloud (Bearer scheme). |
Scopes
Routes
| Method | Pattern | Scope | Resource template |
|---|
GET | /api/issues/search | sonar:read | sonarqube://issues |
GET | /api/hotspots/search | sonar:read | sonarqube://hotspots |
GET | /api/measures/component | sonar:read | sonarqube://measures |
GET | /api/qualitygates/project_status | sonar:read | sonarqube://quality_gate |
GET | /api/components/search_projects | sonar:read | sonarqube://projects |
GET | /api/sources/raw | sonar:read | sonarqube://source |
| Name | Scope | Description |
|---|
search_issues | sonar:read | Search SonarQube issues (bugs, vulnerabilities, code smells). On SonarQube Cloud, pass organization. |
search_hotspots | sonar:read | Search security hotspots for a project. On SonarQube Cloud, pass organization. |
get_component_measures | sonar:read | Get metric measures (coverage, bugs, vulnerabilities, etc.) for a component. On SonarQube Cloud, pass organization. |
get_quality_gate_status | sonar:read | Get the quality gate status (OK/ERROR) for a project. On SonarQube Cloud, pass organization. |
search_projects | sonar:read | Search projects visible to the token. On SonarQube Cloud, pass organization. |
get_source | sonar:read | Get the raw source of a file by its component key. On SonarQube Cloud, pass organization. |