// Analyze a file or code snippet for quality and security issues using SonarQube
Installs sonarqube-cli if not already installed, authenticates, and integrates SonarQube with the current agent (installs analysis hooks & SonarQube MCP Server). Use when the user wants to set up SonarQube integration or asks to configure SonarQube.
Find files with low test coverage and inspect uncovered lines in a SonarQube project (project key optional when MCP integration already defines the default project)
Search for software composition analysis (SCA) dependency risks in a SonarQube project (project key optional when MCP integration already defines the default project)
Find files with code duplications in a SonarQube project and inspect duplication blocks for a file (project key optional when MCP integration already defines the default project)
Fix a specific SonarQube issue in code by rule key and location
Search and filter SonarQube issues for a project, branch, or pull request via sonarqube-cli (`-p` is always required on the CLI; resolve the key from user arguments or sonar-project.properties)
| name | sonar-analyze |
| description | Analyze a file or code snippet for quality and security issues using SonarQube |
| argument-hint | ["file-path"] |
| allowed-tools | Read, Glob, Bash(git branch:*) |
Analyze code for quality and security issues using the SonarQube MCP Server.
sonar-analyze # analyze the file currently in context
sonar-analyze src/auth/login.py # analyze a specific file
This skill requires the SonarQube MCP Server to be configured and at least one of the tools mcp__sonarqube__run_advanced_code_analysis, mcp__sonarqube__analyze_code_snippet, or mcp__sonarqube__analyze_file_list to be available in your session.
Before proceeding, verify at least one of these tools is accessible. If none are, do not attempt to call any CLI commands or invent alternatives, and show the user:
Unable to reach the SonarQube MCP Server.
Possible causes:
- MCP server not registered — invoke the sonar-integrate skill to configure the SonarQube MCP Server, then restart the agent session
- Credentials not configured — invoke the sonar-integrate skill
- Project key missing or invalid — pass an explicit key if needed, verify
sonar-project.properties, or re-run the sonar-integrate skill for this project
Then ask the user (yes/no) whether to run the sonar-integrate skill now. If they confirm, invoke the sonar-integrate skill yourself and follow it end-to-end in this session, then ask the user to restart the agent session so the new MCP tools become available; if they decline, stop.
Both analysis tools work on one file at a time. Resolve a single file path:
Do not accept a directory as input. If the user provides one, ask them to specify a single file.
| Extension | Language key |
|---|---|
.py | py |
.js .jsx | js |
.ts .tsx | ts |
.java | java |
.go | go |
.php | php |
.cs | cs |
.rb | rb |
.swift | swift |
.kt | kotlin |
.c .cpp .cc .h | cpp |
"TEST" or "MAIN". Use the file path to deduce the scope. For example, if the file path contains test, spec, or __tests__, it's likely "TEST" scope.After running the sonar-integrate skill, the SonarQube MCP Server often has a default project for this workspace, so projectKey is sometimes unnecessary — pass it only when the tool schema requires it or the user targets another project.
Two tools may be available depending on whether the connected organization is eligible for Agentic Analysis:
Try mcp__sonarqube__run_advanced_code_analysis first (available when the organization is eligible for Agentic Analysis).
Before calling it, detect the current branch name using git branch --show-current. If git is unavailable, use main as a fallback.
Then call with:
projectKey — omit unless the tool requires it (initial MCP configuration usually supplies the default project); if required, use the value from the user's arguments if provided, otherwise sonar.projectKey in sonar-project.properties at the repo rootbranchName — detected branch namefilePath — project-relative file path (e.g. src/auth/login.py)fileContent — full file content; only pass if the tool requires it (when the MCP server has a mount, it reads the file directly and this parameter will not be required)fileScope — ["TEST"] or ["MAIN"]If that tool is unavailable, fall back to mcp__sonarqube__analyze_code_snippet or mcp__sonarqube__analyze_file_list (available for all organizations):
projectKey — omit unless the tool requires it; resolve the same way as above when neededfilePath — project-relative file path (e.g. src/auth/login.py)codeSnippet — full file content (optional; provide to narrow analysis to a specific snippet)language — detected language keyscope — "TEST" or "MAIN"If issues are found, present them as a table sorted by line number:
## SonarQube Analysis — `src/auth/login.py`
Found **3 issue(s)**:
| Line | Severity | Rule | Message |
| ---- | --------- | ------------ | ----------------------------------------------------- |
| 12 | 🔴 Blocker | python:S2077 | Make sure that executing this SQL query is safe here. |
| 34 | 🟠 Major | python:S1481 | Remove the unused local variable "token". |
| 67 | 🟡 Minor | python:S1135 | Complete the task associated to this "TODO" comment. |
Severity icons (the label depends on the server version):
If no issues are found:
## SonarQube Analysis — `src/auth/login.py`
✅ No issues found.
After the results, always add:
<rule> <file>:<line> to fix a specific issue, or ask me to fix them all."