SonarQube - Prisme.ai

The SonarQube app provides read/write access to the SonarQube and SonarQube Cloud Web API. It can be used either as a Builder app (automations call SonarQube instructions directly) or as a remote MCP server consumed by a Knowledges agent — covering projects, components, issues, security hotspots, measures, metrics, quality gates, quality profiles, rules, user tokens, analyses, branches, webhooks and SVG badges.

Code Quality

Issues, security hotspots, rules and quality profiles to triage code findings

Project Insights

Measures, metric definitions, history, quality gate status and analyses

Admin & Operations

Projects, branches, webhooks, user tokens and SVG badges

Prerequisites

A SonarQube server (self-hosted) or a SonarQube Cloud account
A User Token generated in My Account > Security > Generate Tokens (passed as Authorization: Bearer <token>)
The API base URL of your instance:
- SonarCloud: https://sonarcloud.io/api
- Self-hosted: https://<your-sonarqube-host>/api
For SonarCloud only: the organization key that owns your projects (most search/create operations require it)

Usage as App
Usage as MCP

Installation

Go to Apps in your workspace
Search for SonarQube and install it
Open the app instance configuration and fill in the required fields

Configuration

Field	Description
SonarQube API Base URL	Base URL of the SonarQube API. Defaults to `https://sonarcloud.io/api` — replace with your self-hosted instance URL when applicable
API Token	SonarQube User Token, stored as a workspace secret. Passed as `Authorization: Bearer <token>`
MCP Endpoint	Auto-populated on install — URL of the MCP endpoint for this instance
MCP API Key	Auto-populated on install — signed key used in the `mcp-api-key` header. Do not modify

MCP Endpoint and MCP API Key are generated automatically by the onInstall flow and are only needed to expose this instance as an MCP server (see the next tab).

Available Instructions

Every instruction resolves credentials from the workspace configuration. SonarQube identifiers are project keys, component keys, issue keys, rule keys and login names — never numeric IDs except for quality-gate gateId. Most list / search operations accept p (page index, 1-based) and ps (page size, max 500) for pagination.

System & Authentication

Instruction	Arguments
`validateAuthentication`	—
`getServerVersion`	—
`listLanguages`	`q`

Projects

Instruction	Arguments
`searchProjects`	`organization`, `projects`, `q`, `qualifiers`, `visibility` (`public`/`private`), `analyzedBefore`, `onProvisionedOnly`, `p`, `ps`
`createProject`	`name`, `project`, `organization`, `visibility` (`public`/`private`)
`deleteProject`	`project`*
`updateProjectKey`	`from`, `to`
`updateProjectVisibility`	`project`, `visibility` (`public`/`private`)

Components

Instruction	Arguments
`showComponent`	`component`*, `branch`, `pullRequest`
`searchComponents`	`q`, `qualifiers` (`TRK`, `FIL`, `DIR`, …), `organization`, `p`, `ps`
`getComponentTree`	`component`*, `strategy` (`children`/`all`/`leaves`), `qualifiers`, `q`, `branch`, `s`, `p`, `ps`

Issues

Instruction	Arguments
`searchIssues`	`componentKeys`, `projects`, `assignees`, `author`, `severities`, `types`, `statuses`, `resolutions`, `resolved`, `tags`, `createdAfter`, `createdBefore`, `languages`, `rules`, `branch`, `pullRequest`, `s`, `asc`, `p`, `ps`
`assignIssue`	`issue`*, `assignee`
`transitionIssue`	`issue`, `transition` (`confirm`/`unconfirm`/`reopen`/`resolve`/`falsepositive`/`wontfix`/`close`)
`addIssueComment`	`issue`, `text`
`setIssueTags`	`issue`*, `tags`
`setIssueSeverity`	`issue`, `severity` (`INFO`/`MINOR`/`MAJOR`/`CRITICAL`/`BLOCKER`)
`setIssueType`	`issue`, `type` (`BUG`/`VULNERABILITY`/`CODE_SMELL`)

Measures & Metrics

Instruction	Arguments
`getComponentMeasures`	`component`, `metricKeys`, `branch`, `pullRequest`, `additionalFields`
`getComponentTreeMeasures`	`component`, `metricKeys`, `strategy` (`children`/`all`/`leaves`), `qualifiers`, `s`, `p`, `ps`
`getMeasuresHistory`	`component`, `metrics`, `from`, `to`, `p`, `ps`
`searchMetrics`	`f`, `p`, `ps`

Quality Gates

Instruction	Arguments
`listQualityGates`	`organization`
`showQualityGate`	`id`, `name`, `organization`
`getProjectQualityGateStatus`	`projectKey`, `projectId`, `branch`, `pullRequest`
`selectQualityGate`	`projectKey`*, `gateId`, `gateName`, `organization`

Quality Profiles & Rules

Instruction	Arguments
`searchQualityProfiles`	`organization`, `language`, `project`, `qualityProfile`, `defaults`
`searchRules`	`organization`, `q`, `languages`, `repositories`, `severities`, `types`, `tags`, `statuses`, `qprofile`, `activation`, `p`, `ps`
`showRule`	`key`*, `organization`

Hotspots

Instruction	Arguments
`searchHotspots`	`projectKey`, `branch`, `pullRequest`, `status` (`TO_REVIEW`/`REVIEWED`), `resolution` (`FIXED`/`SAFE`/`ACKNOWLEDGED`), `onlyMine`, `sinceLeakPeriod`, `p`, `ps`
`showHotspot`	`hotspot`*
`changeHotspotStatus`	`hotspot`, `status` (`TO_REVIEW`/`REVIEWED`), `resolution`, `comment`

User Tokens

Instruction	Arguments
`searchUserTokens`	`login`
`generateUserToken`	`name`*, `login`, `type` (`USER_TOKEN`/`PROJECT_ANALYSIS_TOKEN`/`GLOBAL_ANALYSIS_TOKEN`), `projectKey`, `expirationDate`
`revokeUserToken`	`name`*, `login`

Analyses & Branches

Instruction	Arguments
`searchProjectAnalyses`	`project`*, `branch`, `category`, `from`, `to`, `p`, `ps`
`createAnalysisEvent`	`analysis`, `name`, `category` (`VERSION`/`OTHER`)
`listProjectBranches`	`project`*
`deleteProjectBranch`	`project`, `branch`

Webhooks

Instruction	Arguments
`listWebhooks`	`organization`, `project`
`createWebhook`	`name`, `url`, `organization`, `project`, `secret`
`deleteWebhook`	`webhook`*

Badges

Instruction	Arguments
`getProjectMeasureBadge`	`project`, `metric`, `branch`, `token`
`getProjectQualityGateBadge`	`project`*, `branch`, `token`

Arguments flagged with * are required. On SonarCloud, most search and create operations also require an organization key — pass it explicitly or default it in your automation.

DSUL Examples

List all unresolved bugs on a project

- SonarQube.searchIssues:
    componentKeys: '{{projectKey}}'
    types: BUG
    statuses: OPEN,CONFIRMED,REOPENED
    ps: 100
    output: issues

Get the quality gate status of a branch

- SonarQube.getProjectQualityGateStatus:
    projectKey: '{{projectKey}}'
    branch: main
    output: gateStatus
- conditions:
    '{{gateStatus.projectStatus.status}} == "ERROR"':
      - emit:
          event: qualityGateFailed
          payload:
            project: '{{projectKey}}'
            conditions: '{{gateStatus.projectStatus.conditions}}'

Triage a flaky issue as false positive

- SonarQube.transitionIssue:
    issue: '{{issueKey}}'
    transition: falsepositive
- SonarQube.addIssueComment:
    issue: '{{issueKey}}'
    text: 'False positive — already addressed in {{commitSha}}'

Pull last week’s coverage and bugs trend

- SonarQube.getMeasuresHistory:
    component: '{{projectKey}}'
    metrics: coverage,bugs,vulnerabilities,code_smells
    from: '{{lastWeekIso}}'
    ps: 1000
    output: history

Provision a new SonarCloud project

- SonarQube.createProject:
    name: '{{repoName}}'
    project: '{{org}}_{{repoName}}'
    organization: '{{org}}'
    visibility: private
    output: project
- SonarQube.selectQualityGate:
    projectKey: '{{project.project.key}}'
    gateName: 'Sonar way'
    organization: '{{org}}'

The SonarQube app ships with a built-in MCP server. Each app instance gets its own signed mcp-api-key that encodes the workspace ID and a credentials lookup URL — the SonarQube User Token itself is never passed through headers and is resolved server-side from the app configuration.

Legacy MCP Install (Advanced > Tools)

Use this flow to plug the SonarQube MCP into a Knowledges agent that does not yet support the native MCP picker.

Install the SonarQube app

Install and configure the app in the same workspace as your agent (see the Usage as App tab). Once configured, mcpEndpoint and mcpApiKey are auto-populated.

Copy the MCP credentials

Open the app instance config and copy the values of MCP Endpoint and MCP API Key.

Open your Knowledges project

Navigate to Advanced > Tools.

Add an MCP tool

Click Add and select the MCP tab.

Fill in the endpoint

Paste the MCP Endpoint URL copied from the app instance.

Add the auth header

In the Headers field, add the signed API key:

{
  "mcp-api-key": "your-mcp-api-key"
}

Save

The agent can now list and call SonarQube tools through the MCP endpoint.

The signed mcp-api-key encodes the workspace ID and the getConfig webhook URL. The MCP server validates the signature using the central app secret and transparently fetches the SonarQube User Token and base URL from the installed app. Credentials are cached per tenant for 10 minutes.

Output Formats

Every tool accepts an outputFormat parameter that controls the MCP response shape:

verbose (default) — human-readable text for LLM consumption
structured — machine-readable JSON in structuredContent
both — both text and structured content

Available Tools

System & Authentication

Tool	Description
`validateAuthentication`	Validate the current token
`getServerVersion`	Get SonarQube version
`listLanguages`	List supported languages

Projects

Tool	Description
`searchProjects`	Search projects (filter by `q`, `qualifiers`, `visibility`, `analyzedBefore`)
`createProject`	Create a project
`deleteProject`	Delete a project
`updateProjectKey`	Update the project key
`updateProjectVisibility`	Change project visibility

Components

Tool	Description
`showComponent`	Describe a component (project, file, directory)
`searchComponents`	Search components (projects, files)
`getComponentTree`	Navigate the component tree

Issues

Tool	Description
`searchIssues`	Search for issues. For “my issues / mes issues” pass `assignees: __me__` (or `author: __me__` for issues you reported). To filter unresolved, pass `statuses: OPEN,CONFIRMED,REOPENED`
`assignIssue`	Assign or unassign an issue (omit `assignee` to unassign)
`transitionIssue`	Perform a workflow transition on an issue
`addIssueComment`	Add a comment to an issue
`setIssueTags`	Set tags on an issue (comma-separated; empty to clear)
`setIssueSeverity`	Change the severity of an issue
`setIssueType`	Change the type of an issue

Measures & Metrics

Tool	Description
`getComponentMeasures`	Get measures of a component (e.g. `ncloc,bugs,coverage`)
`getComponentTreeMeasures`	Get measures for a component tree
`getMeasuresHistory`	Get history of measures over a period
`searchMetrics`	Search metric definitions

Quality Gates

Tool	Description
`listQualityGates`	List quality gates
`showQualityGate`	Show a quality gate (by `id` or `name`)
`getProjectQualityGateStatus`	Get the quality gate status of a project / branch / PR
`selectQualityGate`	Associate a project with a quality gate

Quality Profiles & Rules

Tool	Description
`searchQualityProfiles`	Search quality profiles
`searchRules`	Search rules
`showRule`	Show a rule

Hotspots

Tool	Description
`searchHotspots`	Search security hotspots. For “my hotspots” pass `onlyMine: true`. For unresolved pass `status: TO_REVIEW`
`showHotspot`	Show a security hotspot
`changeHotspotStatus`	Change the status of a hotspot

User Tokens

Tool	Description
`searchUserTokens`	List user tokens (admin-only when `login` targets another user)
`generateUserToken`	Generate a user token (`USER_TOKEN`, `PROJECT_ANALYSIS_TOKEN`, `GLOBAL_ANALYSIS_TOKEN`)
`revokeUserToken`	Revoke a user token by name

Analyses & Branches

Tool	Description
`searchProjectAnalyses`	Search project analyses
`createAnalysisEvent`	Create an event on a project analysis
`listProjectBranches`	List branches of a project
`deleteProjectBranch`	Delete a branch from a project

Webhooks

Tool	Description
`listWebhooks`	List webhooks (global or per-project)
`createWebhook`	Create a webhook
`deleteWebhook`	Delete a webhook

Badges

Tool	Description
`getProjectMeasureBadge`	Get an SVG badge for a project metric
`getProjectQualityGateBadge`	Get an SVG badge for the project quality gate status

Tool Details

searchIssues

Search and filter issues on a project. Default response includes all issues the token can see; combine filters to scope down.

{
  "name": "searchIssues",
  "arguments": {
    "componentKeys": "my_org_my-project",
    "types": "BUG,VULNERABILITY",
    "severities": "CRITICAL,BLOCKER",
    "statuses": "OPEN,CONFIRMED,REOPENED",
    "branch": "main",
    "ps": 100
  }
}

Parameter	Required	Description
`componentKeys`	No	Comma-separated component / project keys
`assignees`	No	Use `__me__` for the current user
`severities`	No	`INFO`,`MINOR`,`MAJOR`,`CRITICAL`,`BLOCKER`
`types`	No	`BUG`,`VULNERABILITY`,`CODE_SMELL`
`statuses`	No	`OPEN`,`CONFIRMED`,`REOPENED`,`RESOLVED`,`CLOSED`
`tags`	No	Comma-separated tag names
`createdAfter` / `createdBefore`	No	ISO date or `YYYY-MM-DD`
`branch` / `pullRequest`	No	Restrict to a branch or PR
`p` / `ps`	No	Pagination — `ps` max 500

transitionIssue

Move an issue through SonarQube’s workflow.

{
  "name": "transitionIssue",
  "arguments": {
    "issue": "AY9z...",
    "transition": "falsepositive"
  }
}

Parameter	Required	Description
`issue`	Yes	Issue key
`transition`	Yes	`confirm`, `unconfirm`, `reopen`, `resolve`, `falsepositive`, `wontfix`, `close`

getComponentMeasures

Read one or several metric values for a component (project, file, directory).

{
  "name": "getComponentMeasures",
  "arguments": {
    "component": "my_org_my-project",
    "metricKeys": "ncloc,bugs,vulnerabilities,coverage,duplicated_lines_density",
    "branch": "main"
  }
}

Parameter	Required	Description
`component`	Yes	Component key (project, file or directory)
`metricKeys`	Yes	Comma-separated metric keys — see `searchMetrics`
`branch`	No	Branch name
`pullRequest`	No	Pull request ID
`additionalFields`	No	Extra fields (e.g. `metrics,periods`)

getProjectQualityGateStatus

Useful as a one-shot pass/fail check for CI gates.

{
  "name": "getProjectQualityGateStatus",
  "arguments": {
    "projectKey": "my_org_my-project",
    "branch": "main"
  }
}

Parameter	Required	Description
`projectKey`	No*	Project key (one of `projectKey` or `projectId` must be set)
`projectId`	No*	Project ID — alternative to `projectKey`
`branch`	No	Restrict to a branch
`pullRequest`	No	Restrict to a pull request

searchHotspots

Triage security hotspots — by default returns all visible to the token.

{
  "name": "searchHotspots",
  "arguments": {
    "projectKey": "my_org_my-project",
    "status": "TO_REVIEW",
    "branch": "main",
    "ps": 100
  }
}

Parameter	Required	Description
`projectKey`	No	Restrict to one project
`status`	No	`TO_REVIEW` or `REVIEWED`
`resolution`	No	`FIXED`, `SAFE`, `ACKNOWLEDGED` (only when `status: REVIEWED`)
`onlyMine`	No	Filter on hotspots assigned to the current user
`sinceLeakPeriod`	No	Only hotspots in the new-code period

createProject

Provision a new project. On SonarCloud, organization is required.

{
  "name": "createProject",
  "arguments": {
    "name": "Website Revamp",
    "project": "my_org_website-revamp",
    "organization": "my_org",
    "visibility": "private"
  }
}

Parameter	Required	Description
`name`	Yes	Display name
`project`	Yes	Project key (unique, alphanumeric + `-_.:`)
`organization`	No*	Required on SonarCloud
`visibility`	No	`public` or `private`

generateUserToken

Issue a token for analysis or API usage.

{
  "name": "generateUserToken",
  "arguments": {
    "name": "ci-pipeline-token",
    "type": "PROJECT_ANALYSIS_TOKEN",
    "projectKey": "my_org_my-project",
    "expirationDate": "2027-01-01"
  }
}

Parameter	Required	Description
`name`	Yes	Token name (must be unique per user)
`login`	No	Target login (admin-only when different from current user)
`type`	No	`USER_TOKEN`, `PROJECT_ANALYSIS_TOKEN`, `GLOBAL_ANALYSIS_TOKEN`
`projectKey`	No	Required for `PROJECT_ANALYSIS_TOKEN`
`expirationDate`	No	`YYYY-MM-DD`

Error Handling

HTTP Status	Error	Solution
400	Bad Request	Verify required arguments — on SonarCloud, most operations need `organization`
401	Unauthorized	Verify the User Token and `baseUrl`
403	Forbidden	Check the SonarQube permissions of the token owner (admin-only operations such as `searchUserTokens` for other users)
404	Not Found	Verify project keys, component keys, issue keys and login names
409	Conflict	Resource already exists (project key, token name, …) — pick a different identifier
429	Rate Limited	Back off and retry with exponential delay
500	Server Error	Server-side issue — check SonarQube logs (self-hosted) or SonarCloud status

Common Issues

“Not configured” — The app instance has no User Token. Generate one in SonarQube > My Account > Security > Generate Tokens and paste it in the app configuration. “Invalid API key” (MCP) — The mcp-api-key header does not match the central app secret. Reinstall the app instance to regenerate a signed key. “Credentials lookup failed” — The MCP endpoint could not reach the getConfig webhook of the installed app. Verify that the app instance is still installed in the expected workspace. “organization parameter is missing” — On SonarCloud, most search and create operations require the organization key. Pass it explicitly in the tool arguments or as a default in your DSUL automation. Badge tools return non-SVG content — getProjectMeasureBadge and getProjectQualityGateBadge return raw SVG. The MCP transport currently surfaces them as JSON-encoded strings; consume them in App mode (DSUL) to write the SVG straight to a file or HTTP response.

External Resources

SonarQube Web API

Official SonarQube Web API reference

SonarCloud Web API

SonarCloud-flavored Web API reference

SonarSource Documentation

Product documentation, metrics catalog, rule descriptions

Tool Agents

Plug MCP servers into Knowledges agents

Integration Overview

Apps Marketplace

Documentation Index

Code Quality

Project Insights

Admin & Operations

​Prerequisites

​Installation

​Configuration

​Available Instructions

​System & Authentication

​Projects

​Components

​Issues

​Measures & Metrics

​Quality Gates

​Quality Profiles & Rules

​Hotspots

​User Tokens

​Analyses & Branches

​Webhooks

​Badges

​DSUL Examples

​List all unresolved bugs on a project

​Get the quality gate status of a branch

​Triage a flaky issue as false positive

​Pull last week’s coverage and bugs trend

​Provision a new SonarCloud project

​Legacy MCP Install (Advanced > Tools)

​Output Formats

​Available Tools

​System & Authentication

​Projects

​Components

​Issues

​Measures & Metrics

​Quality Gates

​Quality Profiles & Rules

​Hotspots

​User Tokens

​Analyses & Branches

​Webhooks

​Badges

​Tool Details

​searchIssues

​transitionIssue

​getComponentMeasures

​getProjectQualityGateStatus

​searchHotspots

​createProject

​generateUserToken

​Error Handling

​Common Issues

​External Resources

SonarQube Web API

SonarCloud Web API

SonarSource Documentation

Tool Agents

Prerequisites

Installation

Configuration

Available Instructions

System & Authentication

Projects

Components

Issues

Measures & Metrics

Quality Gates

Quality Profiles & Rules

Hotspots

User Tokens

Analyses & Branches

Webhooks

Badges

DSUL Examples

List all unresolved bugs on a project

Get the quality gate status of a branch

Triage a flaky issue as false positive

Pull last week’s coverage and bugs trend

Provision a new SonarCloud project

Legacy MCP Install (Advanced > Tools)

Output Formats

Available Tools

System & Authentication

Projects

Components

Issues

Measures & Metrics

Quality Gates

Quality Profiles & Rules

Hotspots

User Tokens

Analyses & Branches

Webhooks

Badges

Tool Details

searchIssues

transitionIssue

getComponentMeasures

getProjectQualityGateStatus

searchHotspots

createProject

generateUserToken

Error Handling

Common Issues

External Resources