Tools

analyze_code_snippet: Analyze a file or code snippet with SonarQube analyzers to identify code quality and security issues. Specify the language of the snippet to improve analysis accuracy. Optionally filter results to a specific code snippet. Supported Languages: Java, Kotlin, Python, Ruby, Go, JavaScript, TypeScript, JSP, PHP, XML, HTML, CSS, CloudFormation, Kubernetes, Terraform, ARM, Ansible, Docker, Secrets detection.

Usage:

• With workspace mounted (recommended): pass filePath (project-relative): the server reads the file directly, keeping file content out of the agent context window.

• Without workspace mount: pass complete fileContent for full file analysis (reports all issues).

• Add optional codeSnippet to filter results. Only issues within the snippet will be reported (snippet location auto-detected).

Parameters:

• codeSnippet (string, optional): Code snippet to filter issues (must match content in fileContent).

• fileContent (string, optional): Complete file content as a string; required when workspace is not mounted.

• filePath (string, optional): Project-relative path of the file to analyze (e.g., src/main/java/MyClass.java). Used when the workspace is mounted at /app/mcp-workspace.

• language (string, optional): Language of the code snippet. For example, 'java', 'python', 'javascript'.

• projectKey (string, required): The SonarQube project key. Ignored when SONARQUBE_PROJECT_KEY is defined.

• scope (string, optional): Scope of the file: MAIN or TEST. Default: MAIN.

NOTE: The analyze_code_snippet tool is disabled if you are using the MCP server embedded in SonarQube Cloud. For a full overview of which tools are unavailable with the embedded server and why, see .

analyze_file_list: Analyze files in the current working directory using SonarQube for IDE. This tool connects to a running SonarQube for IDE instance to perform code quality analysis on a list of files.

file_absolute_paths (array of strings, required): List of absolute file paths to analyze.

toggle_automatic_analysis: Enable or disable SonarQube for IDE automatic analysis. When enabled, SonarQube for IDE automatically analyzes files as you modify them in the working directory. When disabled, automatic analysis is turned off.

enabled (boolean, required): Enable or disable the automatic analysis.

run_advanced_code_analysis: Run advanced code analysis on SonarQube Cloud for a single file. Organization is inferred from the MCP configuration. Requires the workspace to be mounted at /app/mcp-workspace. Unlike analyze_code_snippet with a workspace mount, this tool uses full CI-level analysis context collected from a previous SonarQube Cloud scan for higher-precision results.

projectKey (key, required): The key of your project. Ignored when SONARQUBE_PROJECT_KEY is defined.

branchName (string, required): Branch name used to retrieve the latest analysis context.

filePath (string, required): Project-relative path of the file to analyze (e.g., src/main/java/MyClass.java).

fileScope (string, optional): Defines in which scope the file originates from: MAIN or TEST. Default: MAIN.

search_by_signature_patterns: Find code elements (classes, methods, interfaces) by their declaration signatures using regex patterns.

• include_code_regex_list - List of regex patterns to match against signatures - Required String[]

• exclude_code_regex_list - List of regex patterns to exclude from results - String[]

• include_glob - File filter glob pattern (e.g., *.java) - String

• exclude_glob - File exclusion glob pattern - String

• fields - Comma-separated list of fields to include in the response - String

• limit - Maximum number of results to return (default: 10) - Integer

• regex_lists_operator - How to combine multiple patterns: OR (default) or AND - String

search_by_body_patterns: Find code elements by their implementation body using regex patterns. Useful for locating where APIs or patterns are actually used.

• include_code_regex_list - List of regex patterns to match in code bodies - Required String[]

• exclude_code_regex_list - List of regex patterns to exclude from results - String[]

• include_glob - File filter glob pattern - String

• exclude_glob - File exclusion glob pattern - String

• fields - Comma-separated list of fields to include in the response - String

• limit - Maximum number of results to return (default: 10) - Integer

• regex_lists_operator - How to combine multiple patterns: OR (default) or AND - String

get_upstream_call_flow: Trace what functions call a given function. Useful for finding all callers and entry points, and understanding what breaks if a signature changes.

• fqn - Fully qualified name of the function - Required String

• depth - Call chain depth (0=function only, 1=direct callers, etc.) - Integer

• fields - Comma-separated list of fields to include in the response - String

get_downstream_call_flow: Trace what functions a given function calls. Useful for impact analysis and understanding execution flow.

• fqn - Fully qualified name of the function - Required String

• depth - Call chain depth (0=function only, 1=direct callees, etc.) - Integer

• fields - Comma-separated list of fields to include in the response - String

get_source_code - Get complete source code (signature and body) for a code element by its fully qualified name.

• fqn - Fully qualified name of the element - Required String

• fields - Comma-separated list of fields to include in the response - String

get_type_hierarchy - Get the full inheritance hierarchy for a class-like structure (class, interface, enum, record, exception, struct). Essential for understanding inheritance trees and refactoring.

• fqn - Fully qualified name of the class-like structure - Required String

• fields - Comma-separated list of fields to include in the response - String

get_references - Get direct inbound and outbound code references for a class or module. Returns only direct (non-transitive) references.

• fqn - Fully qualified name of the class or module - Required String

• fields - Comma-separated list of fields to include in the response - String

get_current_architecture - Get a hierarchical architecture graph filtered by path prefix and depth. Useful for exploring module structure and high-level dependencies.

• depth - Hierarchy depth (0=root only, 1=root + children, etc.) - Required Integer

• path_prefix - Optional path prefix to filter nodes (e.g., com.example.service) - String

• ecosystem - Optional ecosystem to filter by (java, cs, py, js, ts) - String

get_intended_architecture - Get user-defined architectural constraints specifying which modules are allowed to depend on others.

get_guidelines - Get coding guidelines based on SonarQube project issues, catalog categories, or a combination of both.

• mode - Guidelines retrieval mode: project_based, category_based, or combined - Required String

• categories - List of category names (required for category_based and combined modes) - String[]

• languages - List of target languages in SonarQube repository key format (required when categories is provided) - String[]

• file_paths - Optional list of file paths to filter guidelines by - String[]

check_dependency - Check a third-party dependency for security vulnerabilities, supply-chain malware, and license compliance before adding or updating it. Covers npm, Maven, PyPI, Go, NuGet, Cargo, Composer (PHP), RubyGems, and more. Must be called before modifying any dependency manifest or lockfile (e.g. package.json, pom.xml, build.gradle, requirements.txt, Cargo.toml).

• purl (string, required): Package URL (purl) with version, per purl-spec. Format: pkg:<type>/<namespace>/<name>@<version> (e.g. pkg:npm/[email protected], pkg:maven/org.apache.logging.log4j/[email protected], pkg:pypi/[email protected]).

search_files_by_coverage: Search for files in a project sorted by coverage (ascending, worst coverage first). Use this tool to identify files that are candidates for test coverage improvements.

projectKey (string, required): The project key to search in. Ignored when SONARQUBE_PROJECT_KEY is defined.

pullRequest (string, optional): Pull request id to analyze.

maxCoverage (number, optional): Maximum coverage threshold (0–100). Only returns files with coverage less than or equal to this value.

pageIndex (number, optional): Page index (1-based). Default: 1.

pageSize (number, optional): Page size. Default: 100. Max: 500.

get_file_coverage_details: Get line-by-line coverage information for a specific file, including which exact lines are uncovered and which have partially covered branches. Use this tool after identifying low-coverage files with search_files_by_coverage to pinpoint where to add test coverage.

key (string, required): File key (e.g., my_project:src/foo/Bar.java).

pullRequest (string, optional): Pull request id.

from (number, optional): First line to return (1-based). Default: 1.

to (number, optional): Last line to return (inclusive). If not specified, all lines are returned.

search_dependency_risks: Search for software composition analysis issues (dependency risks) of a SonarQube project, paired with releases that appear in the analyzed project, application, or portfolio.

projectKey (string): Project key. Ignored when SONARQUBE_PROJECT_KEY is defined.

branchKey (string): Branch key.

pullRequestKey (string, optional): Pull request key. pageIndex (integer, optional): Page index. Default: 1.

pageSize (integer, optional): Page size. Must be greater than 0 and less than or equal to 500. Default: 100.

search_duplicated_files: Search for files with code duplications in a SonarQube project. By default, automatically fetches all duplicated files across all pages (up to 10,000 files max). Returns only files with duplications.

projectKey (string, required): Project key. Ignored when SONARQUBE_PROJECT_KEY is defined.

pullRequest (string, optional): Optional pull request id.

pageSize (integer, optional): Optional number of results per page for manual pagination. Max: 500. If not specified, auto-fetches all duplicated files.

pageIndex (integer, optional): Optional page number for manual pagination. Starts at 1. If not specified, auto-fetches all duplicated files.

get_duplications: Get duplications for a file. Require Browse permission on file's project.

key (string, required):

pullRequest (string, optional): Optional pull request id.

list_enterprises: List the enterprises available in SonarQube Cloud that you have access to. Use this tool to discover enterprise IDs that can be used with other tools.

enterpriseKey (string, optional): Enterprise key to filter results.

change_sonar_issue_status: Change the status of a SonarQube issue to "accept", "falsepositive" or to "reopen" an issue.

key (string, required): Issue key

status (enum, required): New issue's status. Required Enum {"accept", "falsepositive", "reopen"}

search_sonar_issues_in_projects: Search for SonarQube issues in your organization's projects.

issueStatuses (array of strings, optional): List of issue statuses to filter by. Possible values: OPEN, CONFIRMED, FALSE_POSITIVE, ACCEPTED, FIXED, IN_SANDBOX.

issueKey (string, optional): Issue key used to fetch a specific issue.

impactSoftwareQualities (array of strings, optional): List of software qualities to filter by. Possible values: MAINTAINABILITY, RELIABILITY, SECURITY. p (integer, optional): Page number. Default: 1.

projects (array of strings, optional): Optional list of Sonar projects. ps (integer, optional): Page size. Must be greater than 0 and less than or equal to 500. Default: 100.

pullRequestId (string, optional): Pull Request's identifier. severities (array of strings, optional): List of severities to filter by. Possible values: INFO, LOW, MEDIUM, HIGH, BLOCKER.

list_languages: List all programming languages supported in this SonarQube instance.

q: Pattern to match language keys/names against.

get_component_measures: Get SonarQube measures for a component (project, directory, file).

component (string, optional): Component key to get measures.

metricKeys (array of strings, optional): Metric keys to retrieve (for example: ncloc, complexity, violations, coverage).

pullRequest (string, optional): Optional pull request identifier to analyze for measures - String

search_metrics: Search for SonarQube metrics.

p (integer, optional): Page number. Default: 1.

ps (integer, optional): Page size. Must be greater than 0 and less than or equal to 500. Default: 100.

list_portfolios: List enterprise portfolios available in SonarQube with filtering and pagination options.

For SonarQube Server:

q (string, optional): Search query to filter portfolios by name or key.

favorite (boolean): If true, returns favorite portfolios.

pageIndex (integer, optional): Optional 1-based page number. Default: 1.

pageSize (integer, optional): Optional page size, max 500. Default: 100.

For SonarQube Cloud:

enterpriseId (string): Enterprise uuid. Can be omitted only if the favorite parameter is supplied with value true.

q (string, optional): Search query to filter portfolios by name.

favorite (boolean, required): Required to be true if the enterpriseId parameter is omitted. If true, returns portfolios favorited by the logged-in user. Cannot be true when draft is true.

draft (boolean): If true, returns drafts created by the logged-in user. Cannot be true when favorite is true.

pageIndex (integer, optional): Index of the page to fetch. Default: 1,

pageSize (integer, optional): Size of the page to fetch. Default: 50.

search_my_sonarqube_projects: Find SonarQube projects. The response is paginated.

page (string, optional): Optional page number.

list_pull_requests: List all pull requests for a project. Use this tool to discover available pull requests before analyzing their coverage, issues, or quality. Returns the pull request key/ID which can be used with other tools (For example: search_files_by_coverage, get_file_coverage_details).

projectKey (string, required): Project key. Ignored when SONARQUBE_PROJECT_KEY is defined.

get_project_quality_gate_status: Get the quality gate status for the SonarQube project.

analysisId (string, optional): Analysis ID.

projectId (string, optional): Project ID.

projectKey (string, optional): Project key.

pullRequest (string, optional): Pull request ID.

list_quality_gates: List all quality gates in my SonarQube.

show_rule: Shows detailed information about a SonarQube rule.

key (string, required): Rule key.

get_raw_source: Get source code as raw text from SonarQube. Requires the See Source Code permission on file.

key (string, required): File key.

pullRequest (string, optional): Pull request id.

get_scm_info: Get SCM information of SonarQube source files. Requires the See Source Code permission on the file's project.

key (string, required): File key.

commits_by_line (string): If the value is false, group lines by SCM commit; else display commits for each line.

from (number): First line to return. Starts at 1.

to (inclusive): Last line to return.

search_security_hotspots - Search for Security Hotspots in a SonarQube project.

projectKey (string): Project or application key. Ignored when SONARQUBE_PROJECT_KEY is defined.

hotspotKeys (array of strings): Comma-separated list of specific Security Hotspot keys to retrieve.

branch (string, optional):- Optional branch key.

pullRequest (string, optional): Optional pull request key.

files (array of strings, optional): List of file paths to filter.

status (string, optional): Optional status filter: TO_REVIEW, REVIEWED.

resolution (string, optional): Optional resolution filter: FIXED, SAFE, ACKNOWLEDGED.

sinceLeakPeriod (boolean): Filter hotspots created since the leak period (new code).

onlyMine (boolean): Show only hotspots assigned to me.

p (integer, optional): - Optional page number. Default: 1.

ps (integer, optional): Optional page size. Must be greater than 0 and less than or equal to 500. Default: 100.

show_security_hotspot - Get detailed information about a specific Security Hotspot, including rule details, code context, flows, and comments.

hotspotKey - Security Hotspot key - Required String

change_security_hotspot_status - Review a Security Hotspot by changing its status. When marking as REVIEWED, you must specify a resolution (FIXED, SAFE, or ACKNOWLEDGED).

hotspotKey (string, required): Security Hotspot key.

status (enum, required): New status. Required Enum {"TO_REVIEW", "REVIEWED"}.

resolution (enum): Resolution when status is REVIEWED. Enum {"FIXED", "SAFE", "ACKNOWLEDGED"}.

comment (string, optional): Optional review comment.

get_system_health: Get the health status of SonarQube Server instance. Returns GREEN (fully operational), YELLOW (usable but needs attention), or RED (not operational).

get_system_info: Get detailed information about SonarQube Server system configuration including JVM state, database, search indexes, and settings. Requires 'Administer' permissions.

get_system_logs: Get SonarQube Server system logs in plain-text format. Requires system administration permission.

name (string, optional): Name of the logs to get. Possible values: access, app, ce, deprecation, es, web. Default: app.

ping_system: Ping the SonarQube Server system to check if it's alive. Returns 'pong' as plain text.

get_system_status: Get state information about SonarQube Server. Returns status (STARTING, UP, DOWN, RESTARTING, DB_MIGRATION_NEEDED, DB_MIGRATION_RUNNING), version, and id.

create_webhook: Create a new webhook for the SonarQube organization or project. Requires Administrator permissions on the specified project, or Global Administrator permissions.

name (string, required): Webhook name.

url (string, required): Webhook URL.

projectKey (string, optional): Project key for project-specific webhook.

secret (string, optional): Webhook secret for securing the webhook payload.

list_webhooks: List all webhooks for the SonarQube organization or project. Requires Administrator permissions on the specified project, or Global Administrator permissions.

projectKey (string, optional): Project key to list project-specific webhooks.