Aadhin Karthik

Posted on Feb 21

Building a Fully Automated SonarCloud Pipeline Using Claude's MCP

#claudecode #sonarcloud #mcp #devtools

Day X of solving real-world problems with Claude Code

I wanted SonarCloud code quality reports without constantly switching between my terminal, GitHub, and SonarCloud's web UI. The Goal: Type one command in Claude Code and get a full quality report back—instantly.

Here's Everything That Went Wrong (& Right)

Turns out, Claude Code's MCP (Model Context Protocol) ecosystem makes this possible — but getting there involved 9 distinct failures, 3 PAT permission updates, and one important discovery about how GitHub reports CI status.

What I Built

A fully automated pipeline:

You write code
  → Claude commits & pushes
    → Creates PR via GitHub MCP
      → GitHub Actions runs sonar-scanner
        → Claude polls for completion
          → Pulls report via SonarQube MCP
            → Shows quality gate + issues table

⏱ Total time	~2.5 minutes (commit to report)
🖐 Manual steps	0 (after one-time setup)

The Stack

Component	Role
Claude Code CLI	Orchestrator
`mcp/sonarqube`	Reads SonarCloud data — quality gates, issues, metrics
`ghcr.io/github/github-mcp-server`	Manages repos, branches, PRs
GitHub Actions	Runs the sonar-scanner
SonarCloud (free tier)	Hosts analysis results

Setup: The Happy Path (~30 min)

1. SonarCloud
Import your project via "Analyze new project" (don't create manually). Disable Automatic Analysis. Generate a Project Analysis Token (not a user token — this matters, see Challenge #3).

2. GitHub PAT (Fine-grained)

Permission	Level	Why
Contents	Read & Write	Push files
Workflows	Read & Write	Create `.github/workflows/` files
Actions	Read & Write	Manage workflow runs
Pull requests	Read & Write	Create PRs
Commit statuses	Read	Poll CI status
Metadata	Read	Required

Missing any one of these causes 403 errors at different stages. Workflows and Commit statuses are the most commonly missed.

3. MCP Servers

# Pull Docker images
docker pull mcp/sonarqube
docker pull ghcr.io/github/github-mcp-server

# Add to Claude Code (run from terminal, not inside Claude)
claude mcp add sonarqube \
    --env SONARQUBE_TOKEN= \
    --env SONARQUBE_ORG= \
    -- docker run -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG mcp/sonarqube

claude mcp add github \
    -e GITHUB_PERSONAL_ACCESS_TOKEN= \
    -- docker run -i --rm -e GITHUB_PERSONAL_ACCESS_TOKEN \
       ghcr.io/github/github-mcp-server

# RESTART Claude Code (MCP servers only load on startup)

4. GitHub Actions Workflow

Two files needed in your repo:

sonar-project.properties:

sonar.projectKey=YourOrg_yourrepo
sonar.organization=yourorg
sonar.sources=src
sonar.exclusions=**/node_modules/**,**/dist/**

.github/workflows/sonarcloud.yml:

name: SonarCloud Analysis
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
jobs:
  sonarcloud:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: SonarSource/sonarqube-scan-action@v5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Claude can create both files via the GitHub MCP — no manual file creation needed. The only browser step: adding SONAR_TOKEN as a GitHub Actions secret.

The 9 Challenges (In Order)

1. MCP Server Not Connecting
Added the server via claude mcp add but tools weren't available.
Fix: MCP servers load on startup only. Restart Claude Code.

2. Docker Image Not Pulled
Config was correct but server wouldn't start.
Fix: docker pull mcp/sonarqube first.

3. "Project Not Found"
Scanner ran but couldn't find the project.
Fix: Use a Project Analysis Token, not a generic user token. Generate in SonarCloud → My Account → Security.

4. 403 on Workflow File
Claude couldn't create .github/workflows/sonarcloud.yml.
Fix: Add "Workflows: Read and Write" to the PAT.

5. Invalid sonar.sources
Scanner failed because source directories didn't exist on the scanned branch.
Fix: Make sure sonar.sources references directories that exist on the branch being scanned.

6. Automatic Analysis Conflict
"You are running CI analysis while Automatic Analysis is enabled."
Fix: Disable Automatic Analysis in SonarCloud UI (can't be done via MCP).

7. Branch Analysis 404
Quality gate returned 404 for non-default branches.
Fix: Free tier only supports main branch + PR analysis. Use PR-based analysis.

8. Go Not Supported by Automatic Analysis
Automatic Analysis only works for JS/TS, Python, Java, C#.
Fix: Use GitHub Actions CI approach for compiled languages.

9. PR Creation 403
PAT was missing Pull requests permission.
Fix: Add "Pull requests: Read and Write" to the PAT.

The Interesting Discovery: GitHub Status vs Check Runs

This was the most subtle issue. During polling, I used pull_request_read(get_status) to check if CI was done. It kept returning "pending" even after SonarCloud had finished analyzing.

Why? SonarCloud reports via GitHub Check Runs, not Commit Statuses. These are different API endpoints. The get_status method checks commit statuses, but SonarCloud uses check runs.

The fix: Use the SonarQube MCP as the primary polling method. Call get_project_quality_gate_status(pullRequest: "PR_NUMBER") — when it returns data instead of an error, the analysis is complete. More reliable than the GitHub status API.

Dry Run Results

Step	Commit + push	Create PR	Poll (4 x 30s)	Pull report	Total
Time	~5s	~2s	~2 min	~3s	~2.5 min

Quality Gate	❌ FAILED (intentionally)
Issues found	6 — 2 Critical, 1 Major, 3 Minor

Eliminating Approval Fatigue

By default, Claude Code asks permission for every tool call. For an automated flow, this kills the experience. The fix: configure .claude/settings.local.json with auto-approved tools:

{
  "permissions": {
    "allow": [
      "Bash(git status:*)", "Bash(git add:*)", "Bash(git commit:*)",
      "Bash(git push:*)", "Bash(sleep:*)",
      "mcp__sonarqube__get_project_quality_gate_status",
      "mcp__sonarqube__search_sonar_issues_in_projects",
      "mcp__github__create_pull_request",
      "mcp__github__pull_request_read"
    ]
  }
}

This auto-approves git commands, polling sleep, and MCP tools while still prompting for potentially destructive operations.

What MCP Can and Can't Do

✅ Can do	❌ Can't do (yet)
Read quality gates, issues, metrics	Trigger GitHub Actions re-runs
Create files, branches, PRs	Create GitHub secrets
Push commits, read diffs	Change SonarCloud project settings
Analyze code snippets locally	Monitor workflow logs in real-time

Free Tier Tips

- Private repos: 50k lines free. Use sonar.exclusions aggressively.
- PR analysis works on free tier and only scans new code — best strategy for staying under limits.
- Branch analysis requires paid tier. Use PRs instead.

The Full Guide

Everything above plus example configs, the "Feed to Claude" instructions (so any Claude Code instance can run the flow), and detailed troubleshooting:

aadhin/claude-sonarcloud-guide on GitHub

_{Built while working on a Go + React/TypeScript desktop app (Wails v2). SonarCloud free tier + GitHub Actions CI.}