Your New AI-Powered Coding Buddy: A Guide to SonarQube MCP Server on IntelliJ 🤖

Hey Java devs! 👋 Ever feel like you're drowning in a sea of code, trying to keep it reliable,, efficient, and secure? We've all been there. Juggling new features, bug fixes, and pull requests is a daily grind. But what if you had an AI-powered assistant to help you out? That's where the SonarQube MCP Server comes in. Let's dive into how this cool new MCP can supercharge your daily coding routine. 🚀

A Day in the Life of a Java Developer ☕

Your typical day probably looks something like this:

• Morning Coffee & Code: You grab your favorite brew, pull the latest changes from the main branch, and start working on a new feature. You're in the zone, writing fresh, new code.
• Pull Request Review: A teammate has submitted a pull request. You need to switch gears, review their code, and provide constructive feedback.
• Bug Hunt: A wild bug appears! 🐛 You have to put on your detective hat, dig through the codebase, and figure out what's causing the issue.
• Refactoring: That old piece of code you wrote a year ago? It's time to give it some love and refactor it for better performance and readability.
• Dependency Check: You need to add a new library to the project. Is it secure? Are there any known vulnerabilities? Time to investigate.

Now, imagine having an AI assistant to help with these tasks. That's the power of the SonarQube MCP server.

Getting Started: Accessing the MCP Server from IntelliJ 🛠️

Here’s how to set it up:

1. Open GitHub Copilot Chat
2. Set the mode to “Agent” and click on the Tools icon 🛠️
   
3. Click on “+ Add More tools”
   

Add the configuration of the MCP Server (remove the comments after setting your values)

"sonarqube": {
        "command": "podman", #podman or docker, choose your container runner
        "args": [
          "run",
          "-i",
          "--rm",
          "-e",
          "SONARQUBE_TOKEN",
          "-e",
          "SONARQUBE_URL",
          "mcp/sonarqube"
        ],
        "env": {
          "SONARQUBE_TOKEN": "sqp_4da0d2......8670e", #get yours from SQ page
          "SONARQUBE_URL": "http://10.89.0.3:9000" #local or remote, get yours
        },
        "type": "stdio"
      }
    }

Remember to use only user tokens not Project or Global Analysis ones in order to allow the MCP Server to properly work with all the endpoints.

For other IDEs like VS Code, it’s even easier … just clicking 👇 a button and you are done 🎉

Supercharge Your Daily Tasks with SonarQube MCP Server ⚡

Let's see how our AI-powered buddy can help with your daily tasks:

1. Analyze Snippet: Instant Feedback on the Code generated by the AI assistant

You're asking AI for a new method, and you're not sure if what the AI returns is the most secure way to do it. Instead of waiting for the CI/CD pipeline to run, you can get instant feedback.

The Agent will follow a series of steps in order to create the code but also to validate it with SonarQube through the SonarQube MCP server :

At the end, the Agent will show (using the model GTP5-mini) a list of tasks done, and we see the result of the SonarQube analysis to specifically the snippet created :

Yes, I know, you are thinking 🤔 Do I have to explicitly tell the agent to use SonarQube every time? And I totally understand you…. Well, the answer is no 🥳

We can add the guardrails for our Agent in a doc and it will be considered every time the AI interacts with us. For GitHub Copilot we will create a file called “copilot-instructions.md” in the .github folder in the root of the project with those instructions.

This is a Java based repository with a Quarkus MCP tool. 
It is primarily responsible for testing AI MCP servers. 
Please follow these guidelines when contributing:

## Instructions for the AI Agent
- Always add the pom.xml file in the root of the project to the context, and especially consider sonar properties defined there.

## Post Generation Guidelines
- Always try to use the SonarQube MCP server to analyze the generated snippets for code quality and security vulnerabilities.

## Key Guidelines
1. Use Java 24 features as possible
2. Follow Java best practices and idiomatic patterns
2. Maintain existing code structure and organization
3. Use dependency injection patterns where appropriate
4. Write unit tests for new functionality using JUnit 5. Use table-driven unit tests when possible.
5. Document public APIs and complex logic. Suggest changes to the `docs/` folder when appropriate

Available on SonarQube Server 2025.1 and above or SonarQube Cloud

2. Search Dependency Risks: Stay Secure 🛡️

You need to add libraries to your project, that’s a common step, but you cannot assume that those libraries are secure, or that the version you want to use is fully patched, or that it uses a license fully compatible with your project’s license.

You need to analyze those dependencies that you add to your project, and more importantly, the transitive dependencies brought by your direct dependencies in order to find vulnerabilities and licensing mismatches.

So, you go to your maven file and add a new JSON parsing library to your pom.xml. Easy ☺️

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.9.10.7</version>
</dependency>

But before you continue with your work, let’s analyze the code and dependencies, and then you can use the Search Dependency Risks feature to check for any known vulnerabilities in this version of the library. The MCP server will ask SonarQube for vulnerabilities in the dependencies for this project and let you know if you should use a different version or a different library altogether.

We will get a summarized answer with the dependencies in our project and the vulnerabilities included, with a reference to the CVEs and the rate for each vulnerability.

Eyy ‼️Do you see that our new Jackson dependency that we added above appears here and includes several HIGH and MEDIUM vulnerabilities in multiple CVEs 😱?. Well, fortunately enough we have our friend SonarQube MCP server that is warning us 🙏

Available on SonarQube Server 2025.4 and above or SonarQube Cloud (requires Advanced Security)

3. Change Sonar Issue Status : Filtering out issues from the Quality Gate

SonarQube for IDE flags an issue in your code, but sometimes you are not ready to fix it, or you consider you can live with it and won’t fix it ever and in other situations you could disagree with Sonar’s criteria and not consider that use case an issue. For that we can simply change the status of that issue to one of the following possible states : Accept or False Positive 🤯. Instead of going to the dashboard and changing it, now with the Change Sonar Issue Status feature, you can ask the MCP server to change its status.

The change status would look like this in the SonarQube UI :

This issue will no longer break our Quality Gate and we can focus on those issues that we realistically are going to tackle.

4. Search Project Issues: Get the Full Picture

You're about to start working on a bug in the PaymentService.java file. Before you dive in, you can use the Search Project Issues feature to get a list of all known SonarQube issues in that file. This gives you a great overview of the code's health and helps you identify other potential problems to fix while you're there.

The MCP server will know in which project and file we are working on, and will check the issues for the whole project or more specifically, for the current file. In this case it’s even giving extra information about the issue we changed the status minutes ago.

5. Project status: A Bird's-Eye View 🦅

Want to know the overall health of your project? Use the Project Status feature to get a quick summary of key metrics like code coverage, duplications, and the number of open issues. It's a great way to track your progress and see the impact of your team's efforts.

The Agent will use different tools to get to the result showing a very concise and easy to read status of the project without the need to go to the SonarQube dashboard.

6. How is the PR going : A glance at the evolution 👀

Working on a pull request and want to see its status? The SonarQube MCP server has your back! Quickly retrieve all issues related to your current PR, no need to leave your IDE for the SonarQube dashboard.

First you need to get the ID of the current pull request to ensure the Assistant is really constraining the issues to the current pull request. In this case it’s the number 6 :

And in a very natural way, we will ask the Assistant to do whatever is needed to get the results for that PR :

And the Assistant with the help of the MCP Server will bring a nice table to reflect the issues we have in the Pull Request :

Tips and tricks : how to get the best out of Agent-MCP relationship 🤝

To harness the full power of AI for code analysis, it's crucial to provide detailed information and establish clear guardrails. As highlighted with the copilot-instructions.md file, defining specific instructions for the AI agent ensures it adheres to project standards and utilizes tools like the SonarQube MCP server effectively.

Furthermore, a rich contextual understanding—derived from elements like the pom.xml file with Sonar project properties like sonar.projectKey=Test—allows the AI to make more accurate and relevant suggestions. Finally, pairing these detailed inputs with a detailed prompt (specifying the PR Id if needed) and mature AI model significantly enhances the quality of the returned results, making the AI a truly invaluable coding partner.

Conclusion: Your MCP for Supercharged Code ✅

The SonarQube MCP server is more than just a tool; it's a co-pilot that helps you write better, high quality, and more secure code. By integrating it into your daily workflow, you can catch issues earlier, learn best practices, and spend less time on tedious tasks. So, what are you waiting for? Give it a try and take your Java development to the next level! 🚀

Resources 📚

• Source Code: SonarSource/sonarqube-mcp-server on GitHub
• Documentation: SonarQube for MCP Server

• AI
• GenAI
• Java
• LLM

Jonathan Vila

Author

Jonathan is a developer advocate at Sonar. He is a Java Champion and co-founder of the conferences in Spain JBCNConf and DevBcn and organizer of the Barcelona JUG. He has also been a speaker at several conferences including DevNexus, Oracle CodeOne, DevoxxUK, JNation, DevConf.IN, DevConf.US, and JFokus.