Skills
skills/rezkam/boring-but-good/sonarqube

sonarqube

SKILL.md

SonarQube

Interact with SonarQube to fetch code quality issues, coverage, and quality gate status.

Configuration

Run ./setup.sh from the repo root (recommended), or create config files manually:

mkdir -p ~/.boring/sonarqube
echo 'https://your-sonarqube.example.com' > ~/.boring/sonarqube/url
echo 'your-token' > ~/.boring/sonarqube/token
chmod 600 ~/.boring/sonarqube/token

For bearer auth (instead of default token-as-login), also create:

echo 'bearer' > ~/.boring/sonarqube/auth_method

Generate token: User → My Account → Security → Generate Tokens.

Scripts

Fetch issues

scripts/sonarqube-issues.sh <project-key> [pr-number] \
    [--status OPEN,CONFIRMED] [--severity CRITICAL,BLOCKER] \
    [--type BUG] [--branch main] [--limit 100]

Coverage metrics

scripts/sonarqube-coverage.sh <project-key> [pr-number] [--branch main]

For PRs, returns new code coverage. For branches/projects, returns overall coverage.

Security hotspots

scripts/sonarqube-hotspots.sh <project-key> [--pr N] [--branch main] [--status TO_REVIEW]

Quality gate status

scripts/sonarqube-quality-gate.sh <project-key> [--pr N] [--branch main]

Exits 0 if gate passes, 1 if it fails.

List/search projects

scripts/sonarqube-projects.sh [search-query] [--limit 50]

Transition an issue

scripts/sonarqube-transition.sh <issue-key> <transition> [--comment "text"]

Transitions: confirm, unconfirm, reopen, resolve, falsepositive, wontfix, accept

Mark issues as false positive, resolved, or won't fix. Optionally attach a comment explaining why.

Raw API

scripts/sonarqube-api.sh <endpoint> [curl-options...]

Workflow for fixing issues

S=scripts

# 1. Fetch issues for a PR
$S/sonarqube-issues.sh my-service 327

# 2. Check quality gate
$S/sonarqube-quality-gate.sh my-service --pr 327

# 3. Check coverage
$S/sonarqube-coverage.sh my-service 327

# 4. Check security hotspots
$S/sonarqube-hotspots.sh my-service --pr 327

# 5. Fix issues, verify compilation, commit

Common Java rules and fixes

Read references/common-rules.md for fix patterns for frequently triggered rules (S3457 logging concatenation, S2629 conditional invocation, S1128 unused imports, S5786 JUnit modifiers, etc.).

API reference

Issue search: GET /api/issues/search?componentKeys=KEY&pullRequest=N&issueStatuses=OPEN&severities=CRITICAL&types=BUG&ps=100

Measures: GET /api/measures/component?component=KEY&pullRequest=N&metricKeys=new_coverage,new_line_coverage

Quality gate: GET /api/qualitygates/project_status?projectKey=KEY&pullRequest=N

Hotspots: GET /api/hotspots/search?projectKey=KEY&status=TO_REVIEW

Dashboard URL: <SONARQUBE_URL>/dashboard?id=PROJECT_KEY&pullRequest=PR_NUMBER

Weekly Installs
2
Repository
rezkam/boring-but-good
GitHub Stars
1
First Seen
Mar 1, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn
Installed on
opencode2
gemini-cli2
codebuddy2
github-copilot2
codex2
kimi-cli2