In the era of AI copilots and code generation tools productivity is skyrocketing, but so is the risk of insecure, untested, or messy code slipping into production. How do you ensure it doesn\u2019t introduce vulnerabilities, bugs, or bad practices?\u00a0<\/p>\n
A widely adopted tool to help address these concerns is SonarQube. It provides a rich set of rules and quality gates to analyze code for bugs, test coverage, code smells, and security issues. But there\u2019s a common pain point: the feedback loop. You often need to switch between your IDE and SonarQube\u2019s results, breaking focus and slowing iteration.<\/p>\n
What if your AI agent could see code quality issues the moment they appear, right in your IDE, without you switching tabs or breaking your flow? In this post, we\u2019ll focus on enhancing your development workflow by integrating SonarQube analysis directly into your IDE using the Sonar MCP server and Docker MCP Toolkit.<\/p>\n
The solution is here: Sonar MCP Server \u2013 a Model Context Protocol (MCP) server that integrates with SonarQube (Cloud or Server) and allows AI agents (like GitHub Copilot) to access code quality metrics and insights directly from your IDE.<\/p>\n
To enable Sonar MCP easily and securely, we\u2019ll use the Docker MCP Toolkit. It provides a catalog of over 150 MCP servers \u2013 including SonarQube.<\/p>\n
We won\u2019t dive deep into how MCP servers and the MCP Toolkit work, (check out the links below for that), but instead we\u2019ll walk through a hands-on example of using Docker MCP Toolkit with Sonar MCP in a Java project.<\/p>\n
Further reading about MCP Catalog and Toolkit:<\/p>\n
How Docker MCP Toolkit Works with VS Code Copilot Agent Mode<\/a><\/p>\n Introducing Docker MCP Catalog and Toolkit<\/a><\/p>\n For our demo, we\u2019ll use the Java Local Development Testcontainers Workshop project, a Spring Boot-based microservice for managing a product catalog, complete with APIs and Testcontainers-based tests.<\/p>\n GitHub repo: GannaChernyshova\/java-testcontainers-local-development<\/a><\/p>\n Before diving into MCP integration, ensure your Java project is already set up for SonarQube analysis. In this demo project, that includes:<\/p>\n Using the JaCoCo plugin to collect test coverage data<\/p>\n Adding the SonarQube Maven plugin for code scanning<\/p>\n We also created a corresponding project in SonarQube Cloud and linked it to the GitHub repository. The details of SonarQube setup are outside the scope of this post, but if you need guidance, check out the official SonarQube documentation<\/a>.<\/p>\n The Docker MCP Toolkit, available in Docker Desktop, makes it quick and secure to spin up MCP servers from a pre\u2011curated catalog without worrying about manual setup or complex dependencies.\u00a0<\/p>\n To get started:<\/p>\n Open Docker Desktop and navigate to the MCP Toolkit tab.<\/p>\n Browse the Catalog to find SonarQube.<\/p>\n Configure it with your SonarQube URL, organization, and access token.<\/p>\n Hit Start to launch the MCP server.<\/p>\n Figure 1: SonarQube MCP settings in the Docker Desktop MCP Toolkit<\/em><\/p>\n\n Your MCP server should now be up and running.<\/p>\n We\u2019ll use GitHub Copilot in IntelliJ, which now supports Agent Mode and MCP integration.\u00a0 Here is the detailed instruction from GitHub: how to use the Model Context Protocol (MCP) to extend Copilot Chat.<\/a><\/p>\n Open Copilot Settings.<\/p>\n Edit or create the mcp.json file with:<\/p>\n With this configuration you enable the Docker MCP Gateway, a secure enforcement point between agents and external tools, that would connect the MCP servers from the MCP Toolkit to your clients or agents.\u00a0\u00a0<\/p>\n Now when you switch to Agent Mode in Copilot Chat, you\u2019ll see a list of tools available from the connected MCP server \u2013 in this case, the Sonar MCP tools.<\/p>\n Figure 2: Tools that SonarQube MCP server provides<\/em><\/p>\n Let\u2019s scan the project:<\/p>\n In our case, the default quality gate passed. However, 4 security issues, few maintainability and 72.1% test coverage were flagged, leaving room for improvement.<\/p>\n Figure 3: Initial SonarQube scanning overview<\/em><\/p>\n\n Time to bring in Copilot + Sonar MCP!<\/p>\n We can now ask Copilot Chat to list the issues, suggest fixes, help with adding missing tests, and iterate faster \u2013 all within IntelliJ, without switching context.<\/p>\n Through several iterations, the agent successfully:<\/p>\n Detected open issues, suggested and applied fixes:<\/p>\n Figure 4: GitHub Copilot Agent detects and fixes issues reported by SonarQube\u00a0<\/em><\/p>\n\n Improved test coverage based on the sonar report of uncovered code lines:\u00a0<\/p>\n Figure 5: GitHub Copilot Agent writes tests for uncovered code detected in SonarQube report\u00a0<\/em><\/p>\n\n Resolved security problems and improved code maintainability:<\/p>\n Figure 6: GitHub Copilot Agent implements fixes based on the SonarQube open security and maintainability issues<\/em><\/p>\n\n As a result, the final SonarQube scan showed an A rating in every analysis category, and test coverage increased by over 15%, reaching 91.1%.<\/p>\n Figure 7: SonarQube scanning results after the fixes made with the help of Copilot<\/em><\/p>\n With the rapid rise of generative AI tools, developers can move faster than ever. But that speed comes with responsibility. The combination of Sonar MCP + Docker MCP Toolkit turns AI copilots into security- and quality-aware coding partners. It\u2019s not just about writing code faster, it\u2019s about writing better code first.\u00a0<\/p>\n Discover hundreds of curated MCP servers on the Docker MCP Catalog<\/a><\/p>\n Learn more about Docker MCP Toolkit<\/a><\/p>\nDemo Project: Java Local Development with Testcontainers<\/strong><\/h2>\n
Step 1: Start the Sonar MCP Server via Docker Desktop<\/strong><\/h3>\n
Step 2: Connect Sonar MCP to GitHub Copilot (IntelliJ)<\/strong><\/h3>\n
\n “servers”: {
\n “MCP_DOCKER”: {
\n “command”: “docker”,
\n “args”: [
\n “mcp”,
\n “gateway”,
\n “run”
\n ],
\n “type”: “stdio”
\n }
\n }
\n}\n<\/div>\nStep 3: Analyze and Improve Your Code<\/strong><\/h3>\n
Conclusion<\/strong><\/h2>\n
Learn More<\/h2>\n