Skip to main content

SonarQube

Connect your SonarQube instance to enable CloudThinker agents to analyze code quality, review security hotspots, and monitor quality gate statuses across your projects.

Supported Platforms

PlatformSupport
SonarQube CloudAll organizations
SonarQube Server2025.4 and above
CloudThinker uses the official SonarSource MCP server, which requires SonarQube Server 2025.4+ or SonarQube Cloud.

Setup

1

Generate a Token

Go to SonarQube CloudMy Account → Security → Generate Tokens:
  • Name: cloudthinker
  • Type: User Token
  • Expires in: Set an appropriate duration
Copy the token — it will not be shown again.
2

Find Your Organization Key

Go to My Organizations and note the organization key from the URL:
https://sonarcloud.io/organizations/YOUR_ORG_KEY
3

Add Connection in CloudThinker

Navigate to Connections → SonarQube and enter:
  • Token: The token you generated
  • Deployment Type: Select SonarQube Cloud
  • Organization: Your organization key
Copy the token immediately after generation. SonarQube will not show it again, and you’ll need to create a new token if lost.

Connection Details

FieldDescriptionExample
SONARQUBE_TOKENUser token for authenticationsqu_xxxxx...
SONARQUBE_DEPLOYMENT_TYPEcloud or self_hostedcloud
SONARQUBE_ORGOrganization key (Cloud only)my-org
SONARQUBE_URLServer URL (Self-Hosted only)https://sonarqube.your-domain.com

Required Permissions

Minimum

  • Browse permission on projects you want to analyze
  • Execute Analysis permission for triggering scans
All minimum permissions, plus:
  • Administer permission on projects for full quality gate management
  • Create Projects permission for onboarding new projects

Agent Capabilities

Once connected, agents can:
CapabilityDescription
Project BrowsingList and inspect all projects in your organization
Issue AnalysisRetrieve and categorize bugs, vulnerabilities, and code smells
Quality GatesCheck quality gate statuses across projects
Security HotspotsReview and prioritize security hotspots
Code DuplicationAnalyze code duplication metrics
Code MetricsInspect coverage, complexity, and maintainability ratings

Example Prompts

@oliver analyze code quality metrics across all projects and check quality gate statuses
@oliver review all security hotspots and categorize them by risk level
@oliver list all blocker and high severity issues broken down by type
@tony check code coverage trends for the main project

Troubleshooting

  • Verify the token is correct and has not expired
  • Ensure the token type is User Token
  • Check the token has not been revoked
  • Verify the organization key is correct
  • Ensure you are a member of the organization
  • Check the organization has not been deleted
  • Verify the SonarQube URL is correct and accessible
  • Check firewall rules allow connections from CloudThinker
  • Ensure the SonarQube service is running
  • Verify the token owner has Browse permission on the projects
  • Check project visibility settings (public vs. private)
  • Ensure projects exist in the organization

Security Best Practices

  • User token - Use a dedicated user token, not a global analysis token
  • Token expiration - Set appropriate expiration dates
  • Minimal permissions - Grant only Browse permission for read-only analysis
  • Token rotation - Rotate tokens every 90 days
  • HTTPS only - Always use HTTPS for self-hosted instances

Elasticsearch Connection

Search code quality logs

Grafana Connection

Visualize code quality metrics