Sonarqube Mcp
Run SonarQube quality-gate and issue triage on pull requests before merge using MCP tool workflows.
Overview
Sonarqube-mcp is an agent skill most often used in Ship (also Operate) that guides SonarQube MCP quality-gate checks and PR issue triage before merge.
Install
npx skills add https://github.com/giuseppe-trisciuoglio/developer-kit --skill sonarqube-mcpWhat is this skill?
- 4-step PR quality gate workflow: trigger analysis, evaluate gate, triage issues, verify fixes after push
- Documents MCP calls for get_project_quality_gate_status and search_sonar_issues_in_projects with PR filters
- Triage order: Security → Reliability → Maintainability with BLOCKER/HIGH/MEDIUM severity filters
- Maps failing gate conditions to metric gaps (actual vs threshold) before requesting developer changes
- Designed for CI/CD-triggered SonarQube analysis on pull requests, not ad-hoc local-only scans
- 4-step PR quality gate workflow documented in SKILL.md
- Issue search example uses severities BLOCKER, HIGH, and MEDIUM
Adoption & trust: 870 installs on skills.sh; 271 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have SonarQube on CI but your agent does not know how to read gate failures or prioritize issues on a specific pull request.
Who is it for?
Solo builders merging feature branches on services already integrated with SonarQube and SonarQube MCP in the agent.
Skip if: Greenfield repos with no SonarQube project key, no PR analysis in CI, or teams that only want stylistic lint without quality gates.
When should I use this skill?
Before merging a pull request that SonarQube analyzes in CI, or when re-checking the gate after fix commits.
What do I get? / Deliverables
After the workflow, you get a gate verdict, failing metrics explained, and a security-first issue list—and you re-run the gate after fixes before approving merge.
- Quality gate status summary for the PR
- Categorized issue list (security, reliability, maintainability)
- Re-check gate verdict after developer fixes
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
PR quality gates are the canonical pre-merge checkpoint in the ship phase. Review subphase covers automated quality checks, issue categorization, and merge readiness—not one-off lint fixes.
Where it fits
Agent calls get_project_quality_gate_status for PR 42 before you approve merge.
Agent filters search_sonar_issues_in_projects to SECURITY category before reliability smells.
You compare gate trends after a release when defect backlog spikes on the main branch.
You validate MCP argument shapes (projectKey, pullRequest) while wiring SonarQube into your dev kit.
How it compares
Use for SonarQube gate semantics via MCP—not as a substitute for writing tests or replacing your CI Sonar scanner.
Common Questions / FAQ
Who is sonarqube-mcp for?
Indie and solo developers who use Claude Code, Cursor, or similar agents to review PRs against the same SonarQube quality gate their pipeline enforces.
When should I use sonarqube-mcp?
Use it in Ship during code review before merge; in Operate when investigating recurring quality regressions; and in Build when validating that a branch is clean before opening a PR.
Is sonarqube-mcp safe to install?
It documents read-oriented SonarQube MCP patterns; review the Security Audits panel on this Prism page and confirm your MCP server scopes before granting network access to SonarQube.
SKILL.md
READMESKILL.md - Sonarqube Mcp
# SonarQube MCP Best Practices Workflows and patterns for integrating SonarQube quality checks into the development lifecycle. ## PR Quality Gate Workflow The recommended workflow for checking code quality before merging a pull request. ### Step 1: Trigger PR Analysis SonarQube analyzes PRs automatically when integrated with CI/CD. After CI runs, check the gate: ```json { "name": "get_project_quality_gate_status", "arguments": { "projectKey": "my-service", "pullRequest": "<pr-number>" } } ``` ### Step 2: Evaluate Gate Status If `status: "OK"` → safe to proceed with merge review. If `status: "ERROR"`: 1. Extract failing conditions from the `conditions` array 2. For each failing condition, identify the metric and gap (actual vs threshold) 3. Use `search_sonar_issues_in_projects` filtered by PR to surface the specific issues ```json { "name": "search_sonar_issues_in_projects", "arguments": { "projects": ["my-service"], "pullRequestId": "<pr-number>", "severities": ["BLOCKER", "HIGH", "MEDIUM"], "p": 1, "ps": 100 } } ``` ### Step 3: Triage Issues Group found issues by: - **Security** (`category: SECURITY`) → highest priority - **Reliability** (`category: RELIABILITY`) → bugs that affect behavior - **Maintainability** (`category: MAINTAINABILITY`) → code smells Present categorized summary to the developer before requesting changes. ### Step 4: Verify Fix After the developer pushes fixes, re-check the quality gate using the updated PR number or trigger a new analysis via CI. --- ## Pre-Commit Analysis (Shift Left) Catch issues before they reach the CI pipeline using `analyze_code_snippet`. ### When to Use - Before committing new functions or classes - When refactoring security-sensitive code - Before adding a new external dependency integration ### Workflow 1. **Extract the snippet** — identify the function or module to analyze 2. **Specify the language** — always pass the `language` parameter for accuracy 3. **Review findings** — address CRITICAL and HIGH issues before committing 4. **Learn from rules** — use `show_rule` to understand unfamiliar findings ### Multi-Language Examples **TypeScript (SQL injection check):** ```json { "name": "analyze_code_snippet", "arguments": { "projectKey": "my-app", "fileContent":"async function getUser(id: string) {\n const query = `SELECT * FROM users WHERE id = ${id}`;\n return db.execute(query);\n}", "language": "typescript" } } ``` **Java (hardcoded credentials):** ```json { "name": "analyze_code_snippet", "arguments": { "projectKey": "my-java-app", "fileContent":"public class DatabaseConfig {\n private static final String PASSWORD = \"myS3cr3t\";\n public Connection connect() { ... }\n}", "language": "java" } } ``` **Python (deserialization risk):** ```json { "name": "analyze_code_snippet", "arguments": { "projectKey": "my-python-app", "fileContent":"import pickle\n\ndef load_session(data):\n return pickle.loads(data)", "language": "python" } } ``` **Go (error ignored):** ```json { "name": "analyze_code_snippet", "arguments": { "projectKey": "my-go-service", "fileContent":"func readFile(path string) []byte {\n data, _ := os.ReadFile(path)\n return data\n}", "language": "go" } } ``` --- ## Issue Triage Workflow Systematic approach to clearing a backlog of Sonar issues. ### Step 1: Prioritize by Severity Always start with BLOCKER issues, then CRITICAL/HIGH: ```json { "name": "search_sonar_issues_in_projects", "arguments": { "projects": ["my-project"], "severities": ["BLOCKER"], "p": 1, "ps": 100 } } ``` ### Step 2: Understand Each Issue For each unfamiliar rule, retrieve documentation: ```json { "name": "show_rule", "arguments": { "key": "java:S2068" } } ``` ### Step 3: Fix or Document **Fix:** Implement the recommended fix from rule documentation. **Accept (with reason):** ```json { "name": "change_