SonarSource/sonarqube-mcp-server

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

https://github.com/SonarSource/sonarqube-mcp-server · scanned 2026-05-16 13:31 UTC (3 weeks, 3 days ago) · 10 languages

28 raw signals (10 security + 18 graph) 73rd percentile · Java · medium (20-100K LoC) System graph score 66 (higher by 12)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 weeks, 4 days ago · v1 · 6 actionable findings from 1 signal source. 2 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

88.9% cov · 0 findings

Score breakdown â 2026-05-14-v3

Component	Sub-score	Weight	Contribution
`structure_score`	65.0	0.15	9.75
`security_score`	86.6	0.25	21.65
`testing_score`	80.0	0.20	16.00
`documentation_score`	75.0	0.15	11.25
`practices_score`	75.0	0.15	11.25
`code_quality`	80.0	0.10	8.00
Overall		1.00	77.9

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 0 Medium 2 Low 1 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 6 System graph 0 Crowd 0 Layer: Software 3 Cicd 2 Security 1

Exclude dismissed / FP Exclude test files

All 583 nodes from the latest scan, grouped by kind. Each node is a unit the engine identified (file, function, endpoint, table…). Most users won't need this view — it's primarily for debugging the engine's graph extraction or for AI agents that want to enumerate the project structure.

Label	Layer	Status	Path
`gemini-extension.json`	software	healthy	`gemini-extension.json`
`GEMINI.md`	software	healthy	`GEMINI.md`
`README.md`	software	healthy	`README.md`
`telemetry-sample.md`	software	healthy	`telemetry-sample.md`
`mise.toml`	software	healthy	`mise.toml`
`Dockerfile`	software	healthy	`Dockerfile`
`server.json`	software	healthy	`server.json`
`build.gradle.kts`	software	healthy	`build.gradle.kts`
`SECURITY.md`	software	healthy	`SECURITY.md`
`stdio-transport-architecture.md`	software	healthy	`docs/stdio-transport-architecture.md`
`tool-loading.md`	software	healthy	`docs/tool-loading.md`
`proxied-mcp-servers.md`	software	healthy	`docs/proxied-mcp-servers.md`
`PULL_REQUEST_TEMPLATE.md`	software	healthy	`docs/PULL_REQUEST_TEMPLATE.md`
`http-authentication-architecture.md`	software	healthy	`docs/http-authentication-architecture.md`
`contributing.md`	software	healthy	`docs/contributing.md`
`install-certificates.sh`	software	healthy	`scripts/install-certificates.sh`
`docker-entrypoint.sh`	software	healthy	`scripts/docker-entrypoint.sh`
`mcp.json`	software	healthy	`agent_configurations/kiro_power/mcp.json`
`POWER.md`	software	healthy	`agent_configurations/kiro_power/POWER.md`
`libs.versions.toml`	software	healthy	`gradle/libs.versions.toml`
`renovate.json`	software	healthy	`.github/renovate.json`
`PullRequestCreated.yml`	software	healthy	`.github/workflows/PullRequestCreated.yml`
`pr-cleanup.yml`	software	healthy	`.github/workflows/pr-cleanup.yml`
`PullRequestClosed.yml`	software	healthy	`.github/workflows/PullRequestClosed.yml`
`SubmitReview.yml`	software	healthy	`.github/workflows/SubmitReview.yml`
`docker-publish.yml`	software	healthy	`.github/workflows/docker-publish.yml`
`shadow_scans.yml`	software	healthy	`.github/workflows/shadow_scans.yml`
`release.yml`	software	healthy	`.github/workflows/release.yml`
`notify-failure.yml`	software	healthy	`.github/workflows/notify-failure.yml`
`docker-build-check.yml`	software	healthy	`.github/workflows/docker-build-check.yml`
`build.yml`	software	healthy	`.github/workflows/build.yml`
`RequestReview.yml`	software	healthy	`.github/workflows/RequestReview.yml`
`action.yml`	software	healthy	`.github/actions/docker-build/action.yml`
`test-mcp-server.py`	software	healthy	`src/test/resources/test-mcp-server.py`
`README.md`	software	healthy	`src/test/resources/ssl/README.md`
`SonarQubeMcpServerGenericTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/SonarQubeMcpSer…`
`SonarQubeMcpServerIdeBridgeTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/SonarQubeMcpSer…`
`SonarQubeVersionCheckerTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/SonarQubeVersio…`
`SonarQubeMcpServerHttpTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/SonarQubeMcpSer…`
`AuthModeTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/authentication/…`
`AuthenticationFilterTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/authentication/…`
`AuthenticationIntegrationTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/authentication/…`
`ProxiedMcpToolTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/ProxiedM…`
`TransportModeTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/Transpor…`
`ManagedStdioClientTransportConcurrencyTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/ManagedS…`
`McpClientManagerTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/McpClien…`
`ProxiedServerConfigParserTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/ProxiedS…`
`ProxiedToolsLoaderTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/ProxiedT…`
`ProxiedToolsLoaderInstructionsTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/ProxiedT…`
`InitializeMetaInjectingClientTransportTest.java`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client/Initiali…`

Showing first 50 of this kind. Full payload available via the JSON button at the top of the page.

Label	Layer	Status	Path
`docs`	software	healthy	`docs`
`scripts`	software	healthy	`scripts`
`agent_configurations`	software	healthy	`agent_configurations`
`kiro_power`	software	healthy	`agent_configurations/kiro_power`
`gradle`	software	healthy	`gradle`
`.github`	software	healthy	`.github`
`workflows`	software	healthy	`.github/workflows`
`actions`	software	healthy	`.github/actions`
`docker-build`	software	healthy	`.github/actions/docker-build`
`src`	software	healthy	`src`
`test`	software	healthy	`src/test`
`resources`	software	healthy	`src/test/resources`
`ssl`	software	healthy	`src/test/resources/ssl`
`java`	software	healthy	`src/test/java`
`org`	software	healthy	`src/test/java/org`
`sonarsource`	software	healthy	`src/test/java/org/sonarsource`
`sonarqube`	software	healthy	`src/test/java/org/sonarsource/sonarqube`
`mcp`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp`
`authentication`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/authentication`
`client`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/client`
`analytics`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/analytics`
`http`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/http`
`configuration`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/configuration`
`serverapi`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/serverapi`
`users`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/serverapi/users`
`organizations`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/serverapi/organ…`
`system`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/serverapi/system`
`a3s`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/serverapi/a3s`
`transport`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/transport`
`log`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/log`
`analysis`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/analysis`
`tools`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools`
`enterprises`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/enterpris…`
`portfolios`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/portfolios`
`qualitygates`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/qualityga…`
`rules`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/rules`
`projects`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/projects`
`issues`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/issues`
`measures`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/measures`
`sources`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/sources`
`duplications`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/duplicati…`
`pullrequests`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/pullreque…`
`analysis`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/analysis`
`system`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/system`
`hotspots`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/hotspots`
`dependencyrisks`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/dependenc…`
`metrics`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/metrics`
`languages`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/languages`
`webhooks`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/tools/webhooks`
`bridge`	software	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/bridge`

Showing first 50 of this kind. Full payload available via the JSON button at the top of the page.

Label	Layer	Status	Path
`PullRequestCreated_job`	cicd	healthy	`.github/workflows/PullRequestCreated.yml`
`cleanup`	cicd	healthy	`.github/workflows/pr-cleanup.yml`
`PullRequestMerged_job`	cicd	healthy	`.github/workflows/PullRequestClosed.yml`
`SubmitReview_job`	cicd	healthy	`.github/workflows/SubmitReview.yml`
`prepare`	cicd	healthy	`.github/workflows/docker-publish.yml`
`build`	cicd	healthy	`.github/workflows/docker-publish.yml`
`test`	cicd	healthy	`.github/workflows/docker-publish.yml`
`publish`	cicd	healthy	`.github/workflows/docker-publish.yml`
`scan`	cicd	healthy	`.github/workflows/shadow_scans.yml`
`release`	cicd	healthy	`.github/workflows/release.yml`
`notify`	cicd	healthy	`.github/workflows/notify-failure.yml`
`build-amd64`	cicd	healthy	`.github/workflows/docker-build-check.yml`
`build-arm64`	cicd	healthy	`.github/workflows/docker-build-check.yml`
`build`	cicd	healthy	`.github/workflows/build.yml`
`integration`	cicd	healthy	`.github/workflows/build.yml`
`promote`	cicd	healthy	`.github/workflows/build.yml`
`RequestReview_job`	cicd	healthy	`.github/workflows/RequestReview.yml`

Label	Layer	Status	Path
`gha::PullRequestCreated`	cicd	healthy	`.github/workflows/PullRequestCreated.yml`
`gha::pr-cleanup`	cicd	healthy	`.github/workflows/pr-cleanup.yml`
`gha::PullRequestClosed`	cicd	healthy	`.github/workflows/PullRequestClosed.yml`
`gha::SubmitReview`	cicd	healthy	`.github/workflows/SubmitReview.yml`
`gha::docker-publish`	cicd	healthy	`.github/workflows/docker-publish.yml`
`gha::shadow_scans`	cicd	healthy	`.github/workflows/shadow_scans.yml`
`gha::release`	cicd	healthy	`.github/workflows/release.yml`
`gha::notify-failure`	cicd	healthy	`.github/workflows/notify-failure.yml`
`gha::docker-build-check`	cicd	healthy	`.github/workflows/docker-build-check.yml`
`gha::build`	cicd	healthy	`.github/workflows/build.yml`
`gha::RequestReview`	cicd	healthy	`.github/workflows/RequestReview.yml`

Label	Layer	Status	Path
`send_message`	software	healthy	`src/test/resources/test-mcp-server.py:31`
`receive_message`	software	healthy	`src/test/resources/test-mcp-server.py:38`
`handle_initialize`	software	healthy	`src/test/resources/test-mcp-server.py:49`
`handle_list_tools`	software	healthy	`src/test/resources/test-mcp-server.py:81`
`handle_call_tool`	software	healthy	`src/test/resources/test-mcp-server.py:128`
`main`	software	healthy	`src/test/resources/test-mcp-server.py:175`

Label	Layer	Status	Path
`auth::.github/workflows/build.yml`	security	healthy	`.github/workflows/build.yml`
`auth::src/main/java/org/sonarsource/sonarqube/mcp/authentic…`	security	healthy	`src/main/java/org/sonarsource/sonarqube/mcp/authentication/…`
`auth::src/test/java/org/sonarsource/sonarqube/mcp/authentic…`	security	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/authentication/…`
`auth::src/main/java/org/sonarsource/sonarqube/mcp/authentic…`	security	healthy	`src/main/java/org/sonarsource/sonarqube/mcp/authentication/…`
`auth::src/test/java/org/sonarsource/sonarqube/mcp/authentic…`	security	healthy	`src/test/java/org/sonarsource/sonarqube/mcp/authentication/…`
`auth::src/main/java/org/sonarsource/sonarqube/mcp/transport…`	security	healthy	`src/main/java/org/sonarsource/sonarqube/mcp/transport/HttpS…`

Label	Layer	Status	Path
`generic_api_key::src/main/java/org/sonarsource/sonarqube/mc…`	security	healthy	`src/main/java/org/sonarsource/sonarqube/mcp/analytics/Analy…`
`password_literal::src/main/java/org/sonarsource/sonarqube/m…`	security	healthy	`src/main/java/org/sonarsource/sonarqube/mcp/configuration/M…`
`password_literal::src/main/java/org/sonarsource/sonarqube/m…`	security	healthy	`src/main/java/org/sonarsource/sonarqube/mcp/configuration/M…`
`password_literal::src/main/java/org/sonarsource/sonarqube/m…`	security	healthy	`src/main/java/org/sonarsource/sonarqube/mcp/configuration/M…`

Label	Layer	Status	Path
`0.8.0.355`	network	healthy	`Dockerfile`
`1.2.3.456`	network	healthy	`.github/workflows/release.yml`

Label	Layer	Status	Path
`repobility-clone-zzl5ts1f`	software	healthy	`/tmp/repobility-clone-zzl5ts1f`

Label	Layer	Status	Path
`port:04`	network	healthy	`.github/workflows/shadow_scans.yml`

Label	Layer	Status	Path
`image::Dockerfile`	hardware	healthy	`Dockerfile`

Label	Layer	Status	Path
`GITHUB_TOKEN`	cicd	healthy	`—`

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/c13f1bc8-1a7e-439e-80da-e57482ec655c/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/c13f1bc8-1a7e-439e-80da-e57482ec655c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.

SonarSource/sonarqube-mcp-server

Complete repo analysis

file 50+

directory 50+

job 17

pipeline 11

function 6

auth 6

secret 4

service 2

repo 1

port 1

container 1

env_var 1