From sonarqube
Analyzes single code files for quality and security issues using SonarQube MCP Server. Supports Python, JS/TS, Java, Go, PHP, C#, Ruby, Swift, Kotlin, C/C++. Detects language and scope from path.
npx claudepluginhub sonarsource/sonarqube-agent-plugins --plugin sonarqubeThis skill is limited to using the following tools:
Analyze code for quality and security issues using the SonarQube MCP Server.
Integrates SonarQube/SonarCloud via MCP server for quality gate checks, issue discovery/triaging, pre-push code analysis, and rule explanations in agent workflows. Use for gate status, finding issues, snippet analysis before commits, or rule details.
Scans code for vulnerabilities, bugs, and code smells using Semgrep and CodeQL. Run before releases, large PRs, or when suspecting recurrent bug classes.
Deploys SonarQube via Docker to statically analyze project code for bugs, vulnerabilities, code smells, technical debt, and coverage gaps; proposes actionable fixes.
Share bugs, ideas, or general feedback.
Analyze code for quality and security issues using the SonarQube MCP Server.
sonar-analyze # analyze the file currently in context
sonar-analyze src/auth/login.py # analyze a specific file
This skill requires the SonarQube MCP Server to be configured and at least one of the tools mcp__sonarqube__run_advanced_code_analysis, mcp__sonarqube__analyze_code_snippet, or mcp__sonarqube__analyze_file_list to be available in your session.
Before proceeding, verify at least one of these tools is accessible. If none are, do not attempt to call any CLI commands or invent alternatives, and show the user:
Unable to reach the SonarQube MCP Server.
Possible causes:
- MCP server not registered — invoke the sonar-integrate skill to configure the SonarQube MCP Server, then restart the agent session
- Credentials not configured — invoke the sonar-integrate skill
- Project key missing or invalid — pass an explicit key if needed, verify
sonar-project.properties, or re-run the sonar-integrate skill for this project
Then ask the user (yes/no) whether to run the sonar-integrate skill now. If they confirm, invoke the sonar-integrate skill yourself and follow it end-to-end in this session, then ask the user to restart the agent session so the new MCP tools become available; if they decline, stop.
Both analysis tools work on one file at a time. Resolve a single file path:
Do not accept a directory as input. If the user provides one, ask them to specify a single file.
| Extension | Language key |
|---|---|
.py | py |
.js .jsx | js |
.ts .tsx | ts |
.java | java |
.go | go |
.php | php |
.cs | cs |
.rb | rb |
.swift | swift |
.kt | kotlin |
.c .cpp .cc .h | cpp |
"TEST" or "MAIN". Use the file path to deduce the scope. For example, if the file path contains test, spec, or __tests__, it's likely "TEST" scope.After running the sonar-integrate skill, the SonarQube MCP Server often has a default project for this workspace, so projectKey is sometimes unnecessary — pass it only when the tool schema requires it or the user targets another project.
Two tools may be available depending on whether the connected organization is eligible for Agentic Analysis:
Try mcp__sonarqube__run_advanced_code_analysis first (available when the organization is eligible for Agentic Analysis).
Before calling it, detect the current branch name using git branch --show-current. If git is unavailable, use main as a fallback.
Then call with:
projectKey — omit unless the tool requires it (initial MCP configuration usually supplies the default project); if required, use the value from the user's arguments if provided, otherwise sonar.projectKey in sonar-project.properties at the repo rootbranchName — detected branch namefilePath — project-relative file path (e.g. src/auth/login.py)fileContent — full file content; only pass if the tool requires it (when the MCP server has a mount, it reads the file directly and this parameter will not be required)fileScope — ["TEST"] or ["MAIN"]If that tool is unavailable, fall back to mcp__sonarqube__analyze_code_snippet or mcp__sonarqube__analyze_file_list (available for all organizations):
projectKey — omit unless the tool requires it; resolve the same way as above when neededfilePath — project-relative file path (e.g. src/auth/login.py)codeSnippet — full file content (optional; provide to narrow analysis to a specific snippet)language — detected language keyscope — "TEST" or "MAIN"If issues are found, present them as a table sorted by line number:
## SonarQube Analysis — `src/auth/login.py`
Found **3 issue(s)**:
| Line | Severity | Rule | Message |
| ---- | --------- | ------------ | ----------------------------------------------------- |
| 12 | 🔴 Blocker | python:S2077 | Make sure that executing this SQL query is safe here. |
| 34 | 🟠 Major | python:S1481 | Remove the unused local variable "token". |
| 67 | 🟡 Minor | python:S1135 | Complete the task associated to this "TODO" comment. |
Severity icons (the label depends on the server version):
If no issues are found:
## SonarQube Analysis — `src/auth/login.py`
✅ No issues found.
After the results, always add:
<rule> <file>:<line> to fix a specific issue, or ask me to fix them all."