Code quality tools are among the most-used developer utilities — ESLint, Prettier, Ruff, SonarQube, and Semgrep run in virtually every professional codebase. Exposing them through MCP lets AI agents not just write code, but validate it against the same standards your team enforces.
This review covers linters, formatters, and static analysis tools available as MCP servers. For security-specific scanning, see our Code Security review. For testing frameworks, see Testing & QA.
Part of our Developer Tools MCP category. The headline finding: enterprise code quality platforms have arrived — SonarQube surged 28% to 544 stars with Context Augmentation and workspace mounting, Codacy launched an official 25+ tool MCP server with real-time Guardrails enforcement, and Semgrep moved MCP support directly into its main binary. Meanwhile, Skylos (426 stars) brought dead code detection and SAST with MCP integration, and the LSP bridge approach proved out with a second implementation (jonrad/lsp-mcp, 181 stars).
Cross-Language
isaacphi/mcp-language-server (LSP Bridge)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| mcp-language-server | 1,500 | Go | BSD-3-Clause | 6 |
The most versatile code quality MCP server — instead of wrapping individual linters, this bridges any Language Server Protocol server to MCP clients:
diagnostics— file-level warnings and errors from your language server (the same ones your editor shows)definition— jump to symbol source codereferences— find all usages of a symbolhover— documentation and type informationrename_symbol— project-wide renamingedit_file— multi-line text edits
Supports Go (gopls), Rust (rust-analyzer), Python (pyright), TypeScript, and C/C++ (clangd). Currently in beta at v0.1.1 with 104 commits and 126 forks. The approach is pragmatic: rather than rebuilding linting logic for MCP, leverage the LSP ecosystem that editors have relied on for years.
jonrad/lsp-mcp (Second LSP Bridge)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| lsp-mcp | 181 | TypeScript | MIT | Multiple |
Second LSP-to-MCP bridge — validates the LSP bridge approach with a TypeScript implementation:
- Multiple LSPs simultaneously — run several language servers at once
- Dynamic schema generation from LSP JSON Schema
- Supports Claude Desktop, Cursor, and MCP CLI Client
- POC state — functional but still early
62 commits, 26 forks. The existence of a second LSP bridge implementation with 181 stars confirms that bridging existing LSP infrastructure is a viable long-term strategy for code quality MCP.
Static Analysis & Security
SonarSource/sonarqube-mcp-server (Official)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| sonarqube-mcp-server | 544 | Java | SonarSource | Multiple |
Official SonarQube MCP server connecting AI agents to SonarQube Server or Cloud — surged 28% since March:
- Context Augmentation (CAG) — Open Beta, provides AI agents with enriched code context (STDIO mode, restricted users)
- Workspace mounting — reads files directly from disk to reduce context bloat instead of passing content through agent contexts
- mcp.sonarqube.com — new configuration generator for easy setup
- Project quality metrics — retrieve code quality dashboards programmatically
- Issue management — filter by severity, type, status across 20+ languages
- Security hotspots — identify and triage security-sensitive code
- Advanced analysis — code snippet scanning with improved accuracy
- HTTP headers —
SONARQUBE_TOOLSETSandSONARQUBE_READ_ONLYfor fine-grained tool control - Multi-tenant support — HTTP mode for SonarQube Cloud
- Broad IDE support — Claude Code, GitHub Copilot, VS Code, Cursor, Windsurf, Zed
Now at 400 commits and 78 forks with v1.17.0. The fastest-growing enterprise code quality MCP server.
Semgrep MCP (Built into Semgrep Binary)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| semgrep/mcp (archived) | 667 | Python | — | 6+ |
Semgrep’s MCP server is now built directly into the main semgrep binary — the standalone repo (667 stars) was archived October 2025:
- Plugin bundles MCP + Hooks + Skills — single install gives AI agents Semgrep Code, Supply Chain, and Secrets scanning
- Scans every file an agent generates — integrated with Claude Code, Cursor, Windsurf, and Codex
- OAuth required for Streamable HTTP — added January 2026
- SSE transport dropped — deprecated April 2026, Streamable HTTP only
- DNS rebinding protection — added February 2026
- Custom rules from Semgrep Registry — Hooks for Claude Code and Cursor pull rules automatically
- Hosted endpoint — available at mcp.semgrep.ai
The move from standalone repo to built-in integration signals maturity — Semgrep treats MCP as a core distribution channel, not an add-on.
advanced-security/codeql-development-mcp-server
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| codeql-development-mcp-server | 20 | TypeScript | GitHub CodeQL Terms | Multiple |
CodeQL query development for AI agents — grew 150% (8→20 stars), now at v2.25.2 with 81 commits:
- 9 languages — Python, JavaScript, Java, C/C++, C#, Go, Ruby, Swift, GitHub Actions
- AI-optimized prompts guiding assistants through CodeQL development workflows
- Test-driven validation for query accuracy
- Stdio and HTTP transports
- Active development — maintained by GitHub’s CodeQL Expert Services team, used in production environments
This is for security researchers writing custom CodeQL queries, not general-purpose code scanning. Requires CodeQL CLI installation and GitHub CodeQL license agreement.
codacy/codacy-mcp-server (Official)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| codacy-mcp-server | 56 | TypeScript | MIT | 25+ |
Official Codacy MCP server — first enterprise code quality platform with comprehensive MCP coverage:
- SAST, SCA, DAST, secrets, IaC, CI/CD — full security analysis spectrum
- Code quality analysis — filter by severity, category, language, and author
- File-level metrics — issues, coverage, and duplication detection
- Pull request evaluation — diff coverage and issue detection
- Quality gates — automated pass/fail criteria
- Local CLI analysis — run analysis without cloud upload
- Codacy Guardrails — real-time enforcement scanning AI-generated code as it’s written
143 commits, 20 forks. Integrates with VS Code (Copilot), Cursor, and Windsurf. The Guardrails feature is a differentiator — it catches quality issues in AI-generated code before commit.
duriantaco/skylos (Dead Code + SAST)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| skylos | 426 | Python | Apache 2.0 | Multiple |
The biggest new entrant in code quality MCP — combines dead code detection, SAST, secrets scanning, and AI code guardrails:
- Dead code detection — unused functions, classes, imports with framework awareness (Django, FastAPI, Flask)
- Security analysis — SQL injection, XSS, SSRF, path traversal across Python, TypeScript/JavaScript, Java, Go, PHP, Rust
- Secrets detection — hardcoded credentials and high-entropy strings
- AI code guardrails — catches phantom security calls, missing decorators, unfinished stubs, and disabled controls from AI-generated code
- Framework-aware — 98% recall with reduced false positives vs traditional tools
- MCP server — exposes all scans to AI agents via dedicated
/skylos_mcpmodule
703 commits, 19 forks. Unlike Vulture (dead code only) or Bandit (security only), Skylos combines both with a hybrid AST + optional LLM engine. Privacy-first — core analysis runs locally without cloud uploads.
kuberstar/qartez-mcp (Semantic Code Intelligence)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| qartez-mcp | 43 | Rust | Dual | 39 |
Semantic code intelligence server designed for AI agents — builds knowledge graphs for code analysis:
- 39 tools across 4 tiers — Core (8), Analysis (18), Refactor (7), Meta (6)
- 37 languages supported
- Knowledge graph indexing — symbols, imports, and call edges
- Impact analysis — blast radius of file changes
- Code complexity — cyclomatic complexity and PageRank scoring
- Modification guard — prevents AI from editing critical files blindly
- ~92% token savings vs grep/read workflows
28 commits, 7 forks. The token savings claim is significant — pre-computed analysis replaces expensive runtime file scanning. Supports 19 editors including Claude Code, Cursor, and Zed.
JavaScript / TypeScript
ESLint MCP (Official, Built-in)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| @eslint/mcp | Part of ESLint (27,200) | JavaScript | MIT | Linting + fixing |
ESLint includes native MCP server support via @eslint/mcp, now at v0.3.4 — no separate installation needed:
npx @eslint/mcp@latest
- Uses your existing ESLint configuration — zero additional setup
- Lint files and get detailed error/warning reports
- Auto-fix violations where possible
- Works with VS Code (GitHub Copilot agent mode), Cursor, and Windsurf
- Stdio transport
The simplest code quality MCP integration available — if you already use ESLint, you already have an MCP server.
RyuzakiShinji/biome-mcp-server (Unofficial)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| biome-mcp-server | 4 | TypeScript | MIT | 2 |
Unofficial Biome MCP server with two tools:
biome-lint— analyze JS/TS files and return diagnostics (errors, warnings, suggestions)biome-format— auto-format code per Biome rules
An official Biome MCP server RFC exists but hasn’t shipped yet. This fills the gap for teams using Biome today.
ncalteen/prettier-mcp
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| prettier-mcp | 1 | TypeScript | MIT | Formatting |
Prettier formatting via MCP — check and format code files using Prettier. Stdio-based server with configurable settings via environment variables. Prettier itself has no official MCP server.
Python
Anselmoo/mcp-server-analyzer (Ruff + Vulture)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| mcp-server-analyzer | 8 | Python | MIT | 5 |
Combined Python analysis with Ruff linting and Vulture dead code detection:
ruff-check— lint Python code for style and error violationsruff-format— format code consistentlyruff-check-ci— CI/CD-optimized output formatvulture-scan— identify unused imports, functions, and variablesanalyze-code— combined assessment with 0-100 quality score
Docker support with multi-architecture containers and Sigstore supply chain signing. Now at v0.1.2 (April 2026).
MarcusJellinghaus/mcp-code-checker (Pylint + Pytest + Mypy)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| mcp-code-checker | 16 | Python | — | 3 |
Three Python quality tools in one server:
run_pylint_check— code quality analysis with customizable parametersrun_pytest_check— test execution with parallel processing supportrun_mypy_check— static type checking with strict mode
Includes LLM-friendly prompt generation for structured analysis output. Works with Claude Desktop, VS Code with Copilot, and other MCP clients.
drewsonne/ruff-mcp-server
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| ruff-mcp-server | 1 | Python | MIT | 3 |
Focused Ruff integration with three tools:
ruff_check— lint with detailed violation reportsruff_format— format or check formatting complianceruff_fix— auto-fix violations where possible
Supports multiple output formats: JSON, text, GitHub, GitLab, JUnit, and SARIF.
Rust
lh/rust-mcp-server
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| rust-mcp-server | 1 | Rust | MIT | 5 |
Full Rust toolchain via MCP:
cargo_check— syntax and type validationcargo_clippy— lint with improvement suggestionsrustfmt— format according to Rust style guidelinescargo_test— run tests with detailed outputcargo_build— build in debug or release mode
Designed for Claude Code and VS Code environments.
.NET
ndepend/NDepend.MCP.Server
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| NDepend.MCP.Server | 36 | C# | NDepend | 14 |
Privacy-first .NET static analysis — fills the .NET code quality gap:
- 14 tools covering initialization, analysis, metrics, dependencies, issues, rules, quality gates, source code inspection, and code querying
- On-premises analysis — code never leaves your machine
- Structured intelligence — provides AI with reliable data instead of raw file dumps
- Custom code queries and rules — natural language interaction with code data
- Dependency tracking — SVG diagrams of code dependencies
- Issues from multiple sources — NDepend rules, Roslyn Analyzers, and ReSharper Code Inspections
Requires .NET 10.0+ and NDepend 2026.1.3+. Works with GitHub Copilot and VS Code. The first dedicated .NET code quality MCP server with production backing.
Enterprise / Multi-Tool
wadew/sonar-mcp (Community SonarQube)
| Server | Stars | Language | License | Tools |
|---|---|---|---|---|
| sonar-mcp | 0 | Python | MIT | 21 |
Feature-rich community SonarQube MCP server with more capabilities than the official one:
- 21 tools across 7 categories — instance management, project operations, issue tracking, quality gates, metrics, rules, tasks
- 6 MCP prompts — code_review, fix_issues, quality_report, quality_goals, security_audit, vulnerability_fix
- 7 MCP resources — browseable URI-based access to SonarQube data
- Multi-instance support — connect to multiple SonarQube servers
- Three transport modes — stdio, SSE, streamable HTTP
More feature-rich than the official server, but lacks SonarSource’s long-term maintenance commitment.
What’s missing
The gaps are closing but some remain:
- No official Prettier MCP server — the most popular code formatter still has no official MCP integration
- No official Biome MCP server — RFC active (discussion #6017) but hasn’t shipped yet
- No Stylelint MCP server with traction
- No golangci-lint MCP — Go’s standard multi-linter has no dedicated MCP integration (fpt/go-dev-mcp covers Go documentation but not golangci-lint)
- No Checkstyle or SpotBugs MCP — Java linting gaps persist
- No PHPStan or PHP_CodeSniffer MCP — PHP quality tools absent
- No unified multi-linter server — nothing runs ESLint + Prettier + Stylelint in one pass
Bottom line
Rating: 4/5 (up from 3.5/5) — The category has matured significantly. Enterprise code quality platforms now have strong MCP support: SonarQube surged 28% with Context Augmentation and workspace mounting, Codacy launched a comprehensive 25+ tool server with real-time Guardrails, and Semgrep integrated MCP directly into its main binary. Skylos (426 stars) filled the dead code + SAST gap, NDepend brought .NET coverage, and the LSP bridge approach was validated by a second implementation (jonrad/lsp-mcp, 181 stars).
The category is no longer fragmented across tiny projects — several servers now have hundreds of stars and active development. The main remaining gaps are official MCP servers from Prettier, Biome, and golangci-lint.
Recommendations: For enterprise code quality, SonarQube’s official server (544 stars) is the clear leader. For security scanning, Semgrep’s built-in MCP integration is the most seamless. For dead code and SAST, Skylos (426 stars) is the most comprehensive. For cross-language diagnostics, the LSP bridge approach (mcp-language-server or lsp-mcp) gives you coverage across all LSP-supported languages. For JavaScript/TypeScript, ESLint’s built-in MCP (v0.3.4) requires zero setup. For .NET, NDepend is the first dedicated option.
This review was last refreshed on 2026-04-30 using Claude Opus 4.6 (Anthropic).