sonarqube

SonarQube / SonarCloud

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "sonarqube" with this command: npx skills add claude-dev-suite/claude-dev-suite/claude-dev-suite-claude-dev-suite-sonarqube

SonarQube / SonarCloud

When NOT to Use This Skill

  • JavaScript/TypeScript linting - Use eslint-biome skill for faster feedback

  • Security scanning - Use owasp-top-10 or security-scanner MCP

  • Test execution - Use Vitest/Playwright skills for running tests

  • Code coverage generation - Use JaCoCo/Vitest skills for coverage

Deep Knowledge: Use mcp__documentation__fetch_docs with technology: sonarqube for comprehensive documentation.

Official Documentation

Resource Link

SonarQube Docs https://docs.sonarsource.com/sonarqube/latest/

SonarCloud Docs https://docs.sonarsource.com/sonarcloud/

Rules Repository https://rules.sonarsource.com/

API Reference https://sonarcloud.io/web_api/

Quick Setup

SonarCloud (Recommended for Open Source)

1. Connect repo at sonarcloud.io

2. Create sonar-project.properties

sonar-project.properties

sonar.projectKey=org_project sonar.organization=your-org sonar.sources=src sonar.tests=tests sonar.javascript.lcov.reportPaths=coverage/lcov.info sonar.coverage.exclusions=/*.test.ts,/*.spec.ts

SonarQube (Self-hosted)

docker-compose.yml

services: sonarqube: image: sonarqube:lts-community ports: - "9000:9000" environment: - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar volumes: - sonarqube_data:/opt/sonarqube/data

Quality Gates

Default Quality Gate Conditions

Metric Condition Target

Coverage on new code ≥ 80%

Duplicated Lines on new code ≤ 3%

Maintainability Rating on new code A

Reliability Rating on new code A

Security Rating on new code A

Security Hotspots Reviewed on new code 100%

Custom Quality Gate

Create via API

curl -X POST "https://sonarcloud.io/api/qualitygates/create"
-H "Authorization: Bearer $SONAR_TOKEN"
-d "name=Strict"

CI/CD Integration

GitHub Actions

.github/workflows/sonar.yml

name: SonarCloud on: [push, pull_request]

jobs: sonarcloud: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0

  - name: SonarCloud Scan
    uses: SonarSource/sonarcloud-github-action@master
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Maven (Java)

<!-- pom.xml --> <plugin> <groupId>org.sonarsource.scanner.maven</groupId> <artifactId>sonar-maven-plugin</artifactId> <version>3.10.0.2594</version> </plugin>

mvn sonar:sonar
-Dsonar.projectKey=project
-Dsonar.host.url=https://sonarcloud.io
-Dsonar.token=$SONAR_TOKEN

Key Metrics

Metric Description Good Value

Bugs Reliability issues 0

Vulnerabilities Security issues 0

Code Smells Maintainability issues Minimize

Coverage Test coverage %

80%

Duplications Duplicated code % < 3%

Cognitive Complexity Code understandability < 15/function

Language-Specific Rules

Language Rules Link

JavaScript/TS 422 https://rules.sonarsource.com/javascript/

Java 733 https://rules.sonarsource.com/java/

Python 300+ https://rules.sonarsource.com/python/

C# 400+ https://rules.sonarsource.com/csharp/

Go 100+ https://rules.sonarsource.com/go/

Excluding Files

sonar-project.properties

sonar.exclusions=/node_modules/,/dist/,/*.test.ts sonar.coverage.exclusions=/tests/,/mocks/** sonar.cpd.exclusions=/generated/

API Examples

Get project status

curl "https://sonarcloud.io/api/qualitygates/project_status?projectKey=KEY"
-H "Authorization: Bearer $SONAR_TOKEN"

Get issues

curl "https://sonarcloud.io/api/issues/search?componentKeys=KEY&#x26;types=BUG"
-H "Authorization: Bearer $SONAR_TOKEN"

Get metrics

curl "https://sonarcloud.io/api/measures/component?component=KEY&#x26;metricKeys=coverage,bugs,vulnerabilities"
-H "Authorization: Bearer $SONAR_TOKEN"

Anti-Patterns

Anti-Pattern Why It's Bad Correct Approach

No quality gate on PRs Merging bad code Enable PR decoration, block on failure

Excluding all tests from coverage Inflated coverage numbers Only exclude test utilities

Ignoring code smells Technical debt accumulates Fix or justify with comments

No coverage reporting Can't track quality trends Configure coverage reports in CI

Using default quality gate Too lenient for most projects Create custom stricter gate

Not reviewing Security Hotspots Potential vulnerabilities missed Review all hotspots before release

Quick Troubleshooting

Issue Likely Cause Solution

Quality gate failed unexpectedly New code coverage < 80% Add tests or adjust coverage target

Analysis not running Missing SONAR_TOKEN Add token to CI secrets

Coverage always 0% Wrong report path Check sonar.javascript.lcov.reportPaths

Duplicated code false positives Boilerplate code Add to sonar.cpd.exclusions

Too many issues reported First scan on legacy code Use "New Code" focus, fix incrementally

PR decoration not working Missing GitHub App integration Configure SonarCloud GitHub App

Related Skills

  • Quality Principles

  • GitHub Actions

  • JaCoCo

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

cron-scheduling

No summary provided by upstream source.

Repository SourceNeeds Review
-35
claude-dev-suite
Coding

token-optimization

No summary provided by upstream source.

Repository SourceNeeds Review
-27
claude-dev-suite
Coding

react-19

No summary provided by upstream source.

Repository SourceNeeds Review
-18
claude-dev-suite