Kiro

Set up the SonarQube MCP Server in Kiro and start using Sonar tools with your agent.

Kiro is an agentic IDE from AWS. Use this MCP server setup when you want Sonar tools available within a Kiro workspace.

If you prefer using the SonarQube-hosted MCP server instead, see below.

Use the configuration generator

Use the official SonarQube MCP Server configuration generator to get a configuration code snippet for your setup:

Identify the target MCP Client.
Find your #common-variables.
Choose a hosting method.
Enter the information into the configuration generator.
Paste the generated configuration into your configuration file.

Manual setup

Environment variables

The following common variables are required. SONARQUBE_TOKEN applies to stdio transport only. For HTTP, HTTPS, or the embedded SonarQube Cloud MCP server, use the Authorization: Bearer <YourSonarQubeUserToken> header instead.

SONARQUBE_TOKEN: Your SonarQube user token (stdio transport).
SONARQUBE_ORG: Your SonarQube Cloud organization key. Required for SonarQube Cloud only.
SONARQUBE_URL: Your SonarQube Server or Community Build URL. Also required for SonarQube Cloud in the US region (https://sonarqube.us). Not needed for SonarQube Cloud in the EU region.

Important: Your SonarQube token is a sensitive credential. Use environment variables to pass tokens rather than hardcoding them in configuration files. Never commit tokens to version control.

Transport options

The SonarQube MCP Server supports three transport modes. Use Stdio for local development and most use cases, HTTPS for production and team deployments, and HTTP only on trusted internal networks.

Stdio (recommended)

Use Stdio for local development or when you are the only user. It's also the transport mode used in your Agentic Analysis and Context Augmentation workflows.

Create or edit an existing .kiro/settings/mcp.json file in your workspace directory, then add the following configuration:

Warning: User tokens are required when setting up connected mode or an MCP server between SonarQube Server and SonarQube for IDE. Your binding won't function properly if you use project tokens, global tokens, or scoped organization tokens during setup.

Note: This code sample configures the MCP server using Stdio transport, where SONARQUBE_TOKEN is passed as an environment variable.
For HTTPS, HTTP, or the SonarQube-hosted MCP server, the SONARQUBE_TOKEN header is deprecated. Pass the token using the "Authorization": "Bearer <YourSonarQubeUserToken>" header instead.

Note: SONARQUBE_URL should be defined as https://sonarqube.us each time you use a SonarQube Cloud configuration (SONARQUBE_TOKEN + SONARQUBE_ORG) and want to connect to a US-region instance. See the Connecting to SonarQube Cloud in the US region section for details.

Kiro with SonarQube Cloud

{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--init",
        "--pull=always",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_ORG",
        //"-e",
        //"SONARQUBE_URL",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<YourSonarQubeUserToken>",
        "SONARQUBE_ORG": "<YourOrganizationName>"
        //"SONARQUBE_URL": "https://sonarqube.us"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

Kiro with SonarQube Server

{
  "mcpServers": {
    "sonarqube": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--init",
        "--pull=always",
        "-e",
        "SONARQUBE_TOKEN",
        "-e",
        "SONARQUBE_URL",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "<YourSonarQubeUserToken>",
        "SONARQUBE_URL": "<YourSonarQubeServerURL>"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

Tip: To verify the connection, ask your AI agent to call the SonarQube MCP ping_system tool. For example: "Ping the SonarQube MCP server."

Tip: Restart your AI agent for good measure, although it might not be required.

HTTPS

Use HTTPS when connecting Kiro to a shared MCP server deployed for a team. This requires an HTTPS transport server to be running and accessible.

Add the following to your .kiro/settings/mcp.json file:

{
  "mcpServers": {
    "sonarqube": {
      "type": "https",
      "url": "https://<YourSonarQubeMCPServer>:8443/mcp",
      "headers": {
        "Authorization": "Bearer <YourSonarQubeUserToken>"
      }
    }
  }
}

Tip: To verify the connection, ask your AI agent to call the SonarQube MCP ping_system tool. For example: "Ping the SonarQube MCP server."

Tip: Restart your AI agent for good measure, although it might not be required.

HTTP

Important: The HTTP transport mode is not recommended. Use Stdio for local development or HTTPS for multi-user production deployments.

Use HTTP only on a trusted internal network or for local testing. This requires an HTTP transport server to be running.

Add the following to your .kiro/settings/mcp.json file:

{
  "mcpServers": {
    "sonarqube": {
      "type": "http",
      "url": "http://<YourSonarQubeMCPServer>:8080/mcp",
      "headers": {
        "Authorization": "Bearer <YourSonarQubeUserToken>"
      }
    }
  }
}

Tip: To verify the connection, ask your AI agent to call the SonarQube MCP ping_system tool. For example: "Ping the SonarQube MCP server."

Tip: Restart your AI agent for good measure, although it might not be required.

Agentic analysis and context augmentation

To set up Agentic Analysis and Context Augmentation, the recommended methods are the SonarQube plugin or SonarQube CLI. See the Make your agent verify its code and Add context to generate better code pages.

When using these services, your SONARQUBE_TOKEN lets your local MCP server configured for Stdio mode authenticate to the SonarQube Cloud API. See the Agentic Analysis and Context Augmentation pages for more information.

SonarQube-hosted MCP server

To avoid running and maintaining your own MCP infrastructure while always using the current server version, connect to a SonarQube-hosted MCP server:

SonarQube Cloud-hosted: the MCP server embedded in SonarQube Cloud. It exposes a smaller, fixed subset of tools. See the SonarQube Cloud-hosted page.
SonarQube Server-hosted: the MCP server installed as an extension on SonarQube Server (Developer, Enterprise, and Data Center editions), available on SonarQube Server 2026.3 and later. See the SonarQube Server-hosted page.

Use Sonar tools from Kiro

Once connected, Kiro can call SonarQube MCP tools on your behalf. See the tools page for the full list of available tools.

Install the Kiro power

Kiro powers give your agent specialized tools and context to reduce noise. In addition to configuration details and troubleshooting tips, the SonarQube Code Quality & Security Power provides tools to help your agent complete these tasks:

Analyze code: Scan files or snippets for bugs, vulnerabilities, code smells, and technical debt across 30+ languages.
Security scanning: Detect security vulnerabilities, hotspots, and risks in third-party dependencies using the SCA capabilities in SonarQube Advanced Security.
Quality metrics: Track coverage, complexity, duplication, and maintainability ratings; check quality gate status before deployment.
Issue management: Search, filter, and triage issues by severity or type; mark false positives or accept issues with documentation.
Project insights: Browse projects, view portfolios, and get quality dashboards for making informed decisions.

Find the Sonar power entry on the Kiro website. Launch the SonarQube power in Kiro. Complete details are available on our GitHub page.

PreviousGitHub Copilot cloud agent NextWindsurf

Last updated 7 hours ago

Was this helpful?