SonarQube Integration

Bob the Fixer provides deep integration with SonarQube, exposing comprehensive code quality data to AI assistants through 20 specialized MCP tools.

Overview

The integration connects directly to SonarQube's Web API, providing:

Issue Tracking: Bugs, vulnerabilities, code smells with full context
Security Analysis: Hotspots requiring review, vulnerability details
Quality Metrics: Coverage, duplication, technical debt
Pattern Analysis: Group and correlate issues for efficient fixing
Project Management: Auto-setup, configuration, cleanup

Supported Versions

Version	Status	Notes
SonarQube 10.x	Fully Supported	Recommended
SonarQube 9.x	Fully Supported	All features available
SonarQube 8.x	Limited Support	Some APIs may differ
SonarCloud	Fully Supported	Cloud-hosted alternative

MCP Tools Reference

Scanning Tools

`sonar_scan_project`

Scans a project with SonarQube.

Parameter	Type	Description
`projectPath`	string	Full path to project (required for subsequent scans)
`autoSetup`	boolean	`true` for first scan, `false` thereafter
`severityFilter`	array	Filter: `BLOCKER`, `CRITICAL`, `MAJOR`, `MINOR`, `INFO`
`typeFilter`	array	Filter: `BUG`, `VULNERABILITY`, `CODE_SMELL`

Usage pattern:

# First scan
sonar_scan_project with autoSetup: true

# Subsequent scans
sonar_scan_project with projectPath: "/full/path" and autoSetup: false

`sonar_auto_setup`

Automatically configures SonarQube project.

Parameter	Type	Description
`force`	boolean	Force recreation of existing config
`template`	string	Quality gate: `strict`, `balanced`, `permissive`

Analysis Tools

`sonar_get_issue_details`

Gets comprehensive issue information for AI fixing.

Parameter	Type	Default	Description
`issueKey`	string	required	SonarQube issue key
`contextLines`	number	10	Lines of code context
`includeRuleDetails`	boolean	true	Include rule explanation
`includeCodeExamples`	boolean	true	Include compliant/non-compliant examples
`includeFilePath`	boolean	true	Include absolute path for editing
`includeFileHeader`	boolean	true	Include file header (imports/signature) before issue context
`includeDataFlow`	boolean \| `"auto"`	`"auto"`	Include security data flow when available
`includeSimilarFixed`	boolean	false	Include similar FIXED issues in this project
`includeRelatedTests`	boolean	false	Include related tests + coverage hints (best-effort)
`includeScmHints`	boolean	false	Include SCM hints when available

For the full list of advanced parameters (caps and limits), see sonar_get_issue_details.

Response includes:

Issue severity and type
File path and line number
Plain-text code snippet with surrounding context
Rule description and rationale
File header (imports/signature) to improve fix accuracy
Data flow (for vulnerabilities, when available)
Similar FIXED issues (opt-in)
Related tests + coverage hints (opt-in)
SCM hints (opt-in)

`sonar_analyze_patterns`

Groups issues to identify patterns and prioritize fixes.

Parameter	Type	Description
`groupBy`	string	`pattern`, `file`, `severity`, `fixability`
`includeImpact`	boolean	Include time/effort estimates
`includeCorrelations`	boolean	Find related issues

`sonar_get_security_hotspots`

Lists security hotspots requiring review.

Parameter	Type	Description
`statuses`	array	`TO_REVIEW`, `REVIEWED`
`resolutions`	array	`FIXED`, `SAFE`, `ACKNOWLEDGED`
`severities`	array	`HIGH`, `MEDIUM`, `LOW`

`sonar_get_security_hotspot_details`

Gets detailed security hotspot information.

Parameter	Type	Description
`hotspotKey`	string	Security hotspot key
`includeRuleDetails`	boolean	Include security recommendations
`contextLines`	number	Lines of code context

Metrics Tools

`sonar_get_project_metrics`

Retrieves comprehensive project metrics.

Parameter	Type	Description
`metrics`	array	Specific metrics to retrieve (optional)

Available metrics:

Metric	Description
`bugs`	Total bug count
`vulnerabilities`	Security vulnerability count
`code_smells`	Code smell count
`coverage`	Test coverage percentage
`duplicated_lines_density`	Duplication percentage
`sqale_index`	Technical debt (minutes)
`reliability_rating`	A-E bug rating
`security_rating`	A-E vulnerability rating
`sqale_rating`	A-E maintainability rating
`ncloc`	Lines of code

`sonar_get_quality_gate`

Checks quality gate status.

Response format:

QUALITY GATE STATUS

Status: ✅ PASSED / ❌ FAILED / ⚠️ WARNING

CONDITIONS:
✓ new_bugs: 0 (threshold: 1)
✗ new_coverage: 45.2% (threshold: 80%)

`sonar_get_technical_debt`

Comprehensive technical debt analysis.

Parameter	Type	Default	Description
`includeBudgetAnalysis`	boolean	true	Include time budget planning

Response includes:

Total debt in time units
Debt breakdown by type (bugs, vulnerabilities, code smells)
Budget analysis and planning recommendations
ROI calculations for fixing
Prioritized action plan

`sonar_get_coverage_gaps`

Finds uncovered code for test generation.

Parameter	Type	Description
`componentKey`	string	File key (e.g., `project:src/file.ts`)
`minGapSize`	number	Minimum consecutive uncovered lines
`includePartialBranch`	boolean	Include partial branch coverage

Duplication Tools

`sonar_get_duplication_summary`

Ranked list of files with code duplication.

Parameter	Type	Description
`sortBy`	string	`density`, `lines`, `blocks`
`maxResults`	number	Limit results (default: 10)
`pageSize`	number	Files to analyze (default: 100)

`sonar_get_duplication_details`

Detailed duplication analysis for a specific file.

Parameter	Type	Description
`fileKey`	string	File key from SonarQube
`includeRecommendations`	boolean	Include refactoring suggestions

Reporting Tools

`sonar_generate_report`

Generates comprehensive quality report.

Parameter	Type	Description
`format`	string	`summary`, `detailed`, `json`

Management Tools

`sonar_project_discovery`

Analyzes project to recommend configuration.

Parameter	Type	Description
`path`	string	Directory to analyze
`deep`	boolean	Deep analysis including dependencies

`sonar_config_manager`

Manages Bob the Fixer configuration.

Parameter	Type	Description
`action`	string	`view`, `validate`, `reset`, `update`
`showToken`	boolean	Show token in output

`sonar_link_existing_project`

Links to an existing SonarQube project.

Parameter	Type	Description
`sonarUrl`	string	SonarQube server URL
`projectKey`	string	Existing project key
`token`	string	Authentication token

`sonar_generate_config`

Generates sonar-project.properties file.

Parameter	Type	Description
`projectPath`	string	Project directory
`config`	object	Configuration options

Configuration options include:

sources, tests, exclusions
modules for multi-module projects
Language-specific settings

`sonar_cleanup`

Cleans up unused projects and tokens.

Parameter	Type	Description
`olderThanDays`	number	Age threshold (default: 30)
`dryRun`	boolean	Preview without executing

`sonar_diagnose_permissions`

Diagnoses token and connectivity issues.

Parameter	Type	Description
`verbose`	boolean	Show detailed diagnostics

`sonar_delete_project`

Deletes a SonarQube project permanently.

Parameter	Type	Description
`projectKey`	string	Project to delete
`confirm`	boolean	Must be `true` to execute

API Integration Details

Authentication

Bob the Fixer uses token-based authentication:

Authorization: Basic base64(token:)

Tokens require these permissions:

Browse: View project data
Execute Analysis: Run scans
Administer: Create/delete projects (for auto-setup)

Rate Limiting

Bob the Fixer implements rate limiting:

60 requests/minute per client
Prevents overwhelming SonarQube server
Automatic retry with backoff

Error Handling

Common error scenarios:

Error	Cause	Solution
401	Invalid token	Check SONAR_TOKEN
403	Insufficient permissions	Verify token permissions
404	Project not found	Run with autoSetup: true
500	Server error	Check SonarQube logs

Best Practices

Scanning Strategy

First scan: Always use autoSetup: true
Subsequent scans: Use autoSetup: false with projectPath
CI/CD: Integrate scans into your pipeline

Issue Prioritization

Fix issues in this order:

Security vulnerabilities - Immediate risk
Blocker bugs - Critical failures
Critical bugs - High-impact issues
Major code smells - Maintainability
Minor issues - When time permits

Technical Debt Management

# Weekly debt review
Show me the technical debt summary with budget analysis

# Monthly cleanup
Clean up issues older than 30 days

Troubleshooting

Connection Issues

Diagnose my SonarQube connection

Uses sonar_diagnose_permissions to check:

Network connectivity
Token validity
Permission levels
Server health

Scan Failures

Common causes:

Missing sources: Check sonar.sources configuration
Invalid project key: Use sonar_project_discovery
Token expired: Regenerate and update

Next Steps

Quality Gates - Understanding quality thresholds
AI-Assisted Fixing - How AI uses these tools
Troubleshooting - Common issues

Overview​

Supported Versions​

MCP Tools Reference​

Scanning Tools​

sonar_scan_project​

sonar_auto_setup​

Analysis Tools​

sonar_get_issue_details​

sonar_analyze_patterns​

sonar_get_security_hotspots​

sonar_get_security_hotspot_details​

Metrics Tools​

sonar_get_project_metrics​

sonar_get_quality_gate​

sonar_get_technical_debt​

sonar_get_coverage_gaps​

Duplication Tools​

sonar_get_duplication_summary​

sonar_get_duplication_details​

Reporting Tools​

sonar_generate_report​

Management Tools​

sonar_project_discovery​

sonar_config_manager​

sonar_link_existing_project​

sonar_generate_config​

sonar_cleanup​

sonar_diagnose_permissions​

sonar_delete_project​

API Integration Details​

Authentication​

Rate Limiting​

Error Handling​

Best Practices​

Scanning Strategy​

Issue Prioritization​

Technical Debt Management​

Troubleshooting​

Connection Issues​

Scan Failures​

Next Steps​