The rise of AI-assisted software development has introduced a new bottleneck: code verification. While AI can generate code at unprecedented speeds, manually verifying that code for quality and security often breaks a software developer's flow.

To solve this, Sonar launched the SonarQube MCP Server, bridging the gap between AI agents and trusted SonarQube insights. Today, we are evolving this integration. While the SonarQube MCP server remains available as a local Docker container, we have now launched an embedded version directly within SonarQube Cloud. Now natively available, with no installation required, this update removes the "Docker barrier" and transforms the integration into a fully managed, enterprise-ready service.

Cloud-native integration

The cloud-native option is designed for environments where centralized management is preferred or where local installation restrictions are in place. For many software engineering teams, especially those in regulated industries like finance or healthcare, local installations are not allowed, and this created significant friction.

The SonarQube embedded MCP server solves these issues by moving the logic into SonarQube Cloud. It provides a centralized, managed endpoint that is always on, always updated, and accessible without any local software installation.

Beyond analysis: Conversational code intelligence

By embedding the SonarQube MCP server, we are enabling AI agents to autonomously verify the AI code they produce against your organization’s specific quality gates.

When connected to the embedded MCP server, your AI assistants (such as Claude Desktop, GitHub Copilot, or custom LLM agents) can perform high-value tasks directly within the conversational flow:

• Natural language queries: Ask your AI, "My quality gate is failing for my project. Can you help me understand why and fix the most critical issues?” or "I want to reduce technical debt in my project. What are the top issues I should prioritize?"
• Actionable issue management: Interactively update an issue’s status or mark a finding as a false positive directly from your AI assistant without switching to the SonarQube UI.
• Dependency risk detection: Leverage SonarQube Advanced Security insights to identify and remediate vulnerable security dependencies in real-time.
• Quality at the source: Ensure AI-generated code adheres to your standards before it ever reaches a Pull Request.

How to connect to the embedded MCP server

Switching to the embedded version requires a simple update to your MCP configuration (e.g., your mcp.json file). This configuration replaces the previous Docker-based image or command blocks with a direct cloud-native connection. Example for Cursor or Antigravity:

"sonarqube": {

  "type": "http",

  "url": "https://api.sonarcloud.io/mcp",

  "headers": {

    "Authorization": "Bearer <your_user_token>",

    "SONARQUBE_ORG": "your-organization-key"

  }

}

Setup requirements:

1. User token: Generate a personal access token in your SonarQube Cloud security settings.
2. Organization key: Provide the unique key for your SonarQube Cloud organization.

Empowering the modern AI stack

The embedded MCP server is designed for the future of "vibe coding" and agentic workflows. By providing AI agents with direct, secure access to SonarQube Cloud's 7,000+ distinct issues that can be detected we ensure that velocity never comes at the expense of code health.

Deployment options Users can now choose between two methods to connect their AI tools to SonarQube:

• Local deployment: Running a Docker container on a workstation to bridge the IDE and SonarQube.
• Cloud native: Using the embedded endpoint in SonarQube Cloud for centralized access without local software installation.

Whether you are using Amazon Q Developer, Claude Code, or building custom autonomous agents, the embedded SonarQube MCP server provides the standardized, scalable, and secure foundation needed to automate code quality and security at scale.

To learn more about SonarQube MCP Server, visit our Documentation or join the discussion in the Sonar Community.