In the era of AI copilots and code generation tools productivity is skyrocketing, but so is the risk of insecure, untested, or messy code slipping into production. How do you ensure it doesn’t introduce vulnerabilities, bugs, or bad practices?
A widely adopted tool to help address these concerns is SonarQube. It provides a rich set of rules and quality gates to analyze code for bugs, test coverage, code smells, and security issues. But there’s a common pain point: the feedback loop. You often need to switch between your IDE and SonarQube’s results, breaking focus and slowing iteration.
What if your AI agent could see code quality issues the moment they appear, right in your IDE, without you switching tabs or breaking your flow? In this post, we’ll focus on enhancing your development workflow by integrating SonarQube analysis directly into your IDE using the Sonar MCP server and Docker MCP Toolkit.
Getting Started with Sonar MCP from the Docker MCP Toolkit
The solution is here: Sonar MCP Server – a Model Context Protocol (MCP) server that integrates with SonarQube (Cloud or Server) and allows AI agents (like GitHub Copilot) to access code quality metrics and insights directly from your IDE.
To enable Sonar MCP easily and securely, we’ll use the Docker MCP Toolkit. It provides a catalog of over 150 MCP servers – including SonarQube.
We won’t dive deep into how MCP servers and the MCP Toolkit work, (check out the links below for that), but instead we’ll walk through a hands-on example of using Docker MCP Toolkit with Sonar MCP in a Java project.
Further reading about MCP Catalog and Toolkit:
- How Docker MCP Toolkit Works with VS Code Copilot Agent Mode
- Introducing Docker MCP Catalog and Toolkit
Demo Project: Java Local Development with Testcontainers
For our demo, we’ll use the Java Local Development Testcontainers Workshop project, a Spring Boot-based microservice for managing a product catalog, complete with APIs and Testcontainers-based tests.
GitHub repo: GannaChernyshova/java-testcontainers-local-development
Before diving into MCP integration, ensure your Java project is already set up for SonarQube analysis. In this demo project, that includes:
- Using the JaCoCo plugin to collect test coverage data
- Adding the SonarQube Maven plugin for code scanning
We also created a corresponding project in SonarQube Cloud and linked it to the GitHub repository. The details of SonarQube setup are outside the scope of this post, but if you need guidance, check out the official SonarQube documentation.
Step 1: Start the Sonar MCP Server via Docker Desktop
The Docker MCP Toolkit, available in Docker Desktop, makes it quick and secure to spin up MCP servers from a pre‑curated catalog without worrying about manual setup or complex dependencies.
To get started:
- Open Docker Desktop and navigate to the MCP Toolkit tab.
- Browse the Catalog to find SonarQube.
- Configure it with your SonarQube URL, organization, and access token.
- Hit Start to launch the MCP server.
Figure 1: SonarQube MCP settings in the Docker Desktop MCP Toolkit
Your MCP server should now be up and running.
Step 2: Connect Sonar MCP to GitHub Copilot (IntelliJ)
We’ll use GitHub Copilot in IntelliJ, which now supports Agent Mode and MCP integration. Here is the detailed instruction from GitHub: how to use the Model Context Protocol (MCP) to extend Copilot Chat.
- Open Copilot Settings.
- Edit or create the mcp.json file with:
{
"servers": {
"MCP_DOCKER": {
"command": "docker",
"args": [
"mcp",
"gateway",
"run"
],
"type": "stdio"
}
}
}
With this configuration you enable the Docker MCP Gateway, a secure enforcement point between agents and external tools, that would connect the MCP servers from the MCP Toolkit to your clients or agents.
Now when you switch to Agent Mode in Copilot Chat, you’ll see a list of tools available from the connected MCP server – in this case, the Sonar MCP tools.
Figure 2: Tools that SonarQube MCP server provides
Step 3: Analyze and Improve Your Code
Let’s scan the project:
mvn clean verify sonar:sonar
In our case, the default quality gate passed. However, 4 security issues, few maintainability and 72.1% test coverage were flagged, leaving room for improvement.
Figure 3: Initial SonarQube scanning overview
Time to bring in Copilot + Sonar MCP!
We can now ask Copilot Chat to list the issues, suggest fixes, help with adding missing tests, and iterate faster – all within IntelliJ, without switching context.
Through several iterations, the agent successfully:
- Detected open issues, suggested and applied fixes:
Figure 4: GitHub Copilot Agent detects and fixes issues reported by SonarQube
- Improved test coverage based on the sonar report of uncovered code lines:
Figure 5: GitHub Copilot Agent writes tests for uncovered code detected in SonarQube report
- Resolved security problems and improved code maintainability:
Figure 6: GitHub Copilot Agent implements fixes based on the SonarQube open security and maintainability issues
As a result, the final SonarQube scan showed an A rating in every analysis category, and test coverage increased by over 15%, reaching 91.1%.
Figure 7: SonarQube scanning results after the fixes made with the help of Copilot
Conclusion
With the rapid rise of generative AI tools, developers can move faster than ever. But that speed comes with responsibility. The combination of Sonar MCP + Docker MCP Toolkit turns AI copilots into security- and quality-aware coding partners. It’s not just about writing code faster, it’s about writing better code first.
Learn More
- Discover hundreds of curated MCP servers on the Docker MCP Catalog
- Learn more about Docker MCP Toolkit
- Explore Docker MCP Gateway on GitHub