Is Sonar Mcp Server safe to use?

Sonar Mcp Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Sonar Mcp Server?

Sonar Mcp Server can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with Sonar Mcp Server?

Sonar Mcp Server is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.

Is Sonar Mcp Server actively maintained?

Sonar Mcp Server is less actively maintained — last commit was 334 days ago. It has 2 GitHub stars.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/sonar-mcp-server)](https://mcppedia.org/s/sonar-mcp-server)

✓

Is it safe?

No package registry to scan.

No authentication — any process on your machine can connect.

MIT. View license →

Is it maintained?

Last commit 334 days ago. 2 stars.

Will it work with my client?

Transport: stdio. Works with Claude Desktop, Cursor, Claude Code, and most MCP clients.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

MCPpedia Score

Click each category to see evidence

18F

Last scored just now

How we score →

Security

6/30

No known vulnerabilities.

○

Known CVEs — No package registry to scan

○

Tool safety — No tools to analyze

○

Tool poisoning — No tools to analyze

○

Injection vectors — No tools to analyze

✓

Tool stability — Tool definitions stable

○

Dependency health — No package to analyze

✓

License — License: MIT

○

Authentication — No authentication required

○

CVEs checked daily via OSV.dev. Score algorithm is open source.

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

MCP Security Weekly

Get CVE alerts and security updates for Sonar Mcp Server and similar servers.

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Sonar MVP Server

An MCP server implementation for the SonarQube Cloud API in Golang.

Build and Release

# to quickly build the latest snapshot
goreleaser build --snapshot --clean
goreleaser release --skip=publish --snapshot --clean

Usage Instructions

If you want to use the tool locally, e.g. with Claude Desktop, use the following configuration for the MCP server.

{
    "mcpServers": {
      "sonar": {
        "command": "/Users/mario-leander.reimer/Applications/sonar-mcp-server",
        "args": ["-t", "stdio"],
        "env": {
          "SONAR_TOKEN": "<<INSERT TOKEN HERE>>"
        }
      }
    }
}

Alternatively, you can use the MCP introspector for easy local development:

# as stdio binary
npx @modelcontextprotocol/inspector go run main.go

# as SSE server using 
go run main.go --transport sse
npx @modelcontextprotocol/inspector npx mcp-remote@next http://localhost:8080/sse
npx @modelcontextprotocol/inspector

Deployment

Currently using manual Google Cloud Run deployment. Can either be deployed directly from source or using the Docker image built on Github.

# create a new secret for the SONAR_TOKEN
gcloud services enable secretmanager.googleapis.com
print $SONAR_TOKEN | gcloud secrets create sonar-token --data-file=-

# next deploy the local build from source to Cloud Run
gcloud services enable run.googleapis.com cloudbuild.googleapis.com artifactregistry.googleapis.com

gcloud secrets add-iam-policy-binding sonar-token \
  --member=serviceAccount:343509396461-compute@developer.gserviceaccount.com \
  --role=roles/secretmanager.secretAccessor

gcloud run deploy sonar-mcp-server --source=. \
  --region=europe-north1 \
  --port=8080 --allow-unauthenticated \
  --set-secrets=SONAR_TOKEN=sonar-token:latest \
  --set-env-vars=BASE_URL=https://sonar-mcp-server-343509396461.europe-north1.run.app

gcloud run services delete sonar-mcp-server --async --region=europe-north1

Maintainer

M.-Leander Reimer (@lreimer), mario-leander.reimer@qaware.de

License

This software is provided under the MIT open source license, read the LICENSE file for details.

Sonar Mcp Server

Quick Install

Should you use this server?

Test This Server

Score Breakdown

MCPpedia Score

Security

Help improve this page

Reviews

Frequently Asked Questions

Similar servers

Memory MCP Server

Context Mode

Idea Reality MCP Server

Browser Tools Mcp

Discussion