1.20.0.2929
Immutable
release. Only release title and notes can be modified.
SonarQube MCP Server v1.20.0
sonarsource/sonarqube-mcp; switch from mcp/sonarqube to stay up to date.
This release restores branch support across relevant tools, improves code snippet analysis with broader language handling, fixes several silent failure scenarios, strengthens configuration behavior around CORS and Docker deployments, and upgrades to MCP Java SDK 2.0.0.
Features
- Branch parameter restored — The
branchparameter is back on relevant tools, with improved guidance on when to use it (long-lived branches only; short-lived branches are tied to pull requests) - New
list_branchestool — Lists long-lived branches to discover valid branch values before calling other tools - Expanded language support in
analyze_code_snippet— The tool now correctly handles additional language variants, including tsx and jsx, by creating temporary files with the appropriate extensions before analysis. This ensures language-specific parsers and rules are applied correctly, fixing the original TSX/JSX issue and enabling more accurate analysis across a wider range of languages and file types instead of silently reporting zero issues. - CORS decoupled from bind address — Setting
SONARQUBE_HTTP_HOST=0.0.0.0(required for Docker port mapping) no longer implicitly allows all browser origins. Use the now-documentedSONARQUBE_HTTP_ALLOWED_ORIGINSvariable to explicitly allow additional origins
Bug Fixes
- Fixed
analyze_code_snippetsilently returning zero issues for.tsx/.jsxsnippets whenlanguagewas set totsorjs - Fixed blank optional string arguments (e.g. an empty
pullRequestfield) being forwarded as empty query parameters, causing SonarQube Server to reject the request - Fixed certificate installation scripts writing informational messages to stdout in Docker stdio mode, which could corrupt the MCP client handshake
- Fixed incorrect Docker environment variable names in the GitHub Copilot coding agent README example, which caused authentication to silently fail
Improvements
- Upgraded to MCP Java SDK 2.0.0, aligning with the 2025-11-25 MCP specification and enabling stricter tool input validation
- Documented the
SONARQUBE_HTTP_ALLOWED_ORIGINSenvironment variable and clarified that0.0.0.0controls the listen address only, not CORS policy - Documented the
sonarsource/sonarqube-mcpDocker image for users who need versioned image pinning - Documented the standalone JAR download location at
binaries.sonarsource.comfor users who prefer to run without Docker
Breaking Changes
- Tool arguments have been renamed and aligned:
branchKey/pullRequestKey/pullRequestId→branch/pullRequest