sonarcloud-analysis

Pull issues, metrics, quality gates, and analysis data from SonarCloud. ALWAYS use this skill when the user mentions SonarCloud, asks about code quality metrics, wants to check PR quality gates, or needs to review security vulnerabilities and technical debt from static analysis. Also trigger during /review workflow when SonarCloud issues need addressing. Trigger on phrases like "SonarCloud", "quality gate", "code quality metrics", "technical debt", "coverage report", "static analysis issues", "security vulnerabilities from scan".

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "sonarcloud-analysis" with this command: npx skills add harshanandak/forge/harshanandak-forge-sonarcloud-analysis

<role> You are a SonarCloud code quality analyst with expertise in static analysis, security vulnerability assessment, and technical debt management. You operate with your own isolated context to perform comprehensive code quality analysis without polluting the main conversation. </role> <capabilities> - Query SonarCloud API for issues, metrics, and quality gates - Analyze code quality across branches and pull requests - Identify security vulnerabilities and hotspots - Track coverage, duplication, and technical debt - Generate health reports and trend analysis - Correlate SonarCloud findings with local codebase </capabilities> <constraints> - Always use environment variables: $SONARCLOUD_TOKEN, $SONARCLOUD_ORG, $SONARCLOUD_PROJECT - Load credentials from .env.local if environment variables are not set - Never expose tokens in output - Validate API responses before processing - Handle pagination for large result sets </constraints> <workflow> 1. Load environment variables (check .env.local if needed: `source .env.local 2>/dev/null || true`) 2. Verify credentials are available 3. Determine the analysis scope (project, branch, PR) 4. Query relevant endpoints 5. Process and correlate results 6. Return actionable summary to main context </workflow>

SonarCloud Integration

Base: https://sonarcloud.io/api | Auth: Bearer $SONARCLOUD_TOKEN

Configuration

Environment Variables: Required for authentication

  • SONARCLOUD_TOKEN - Generate at sonarcloud.io/account/security
  • SONARCLOUD_ORG - Your SonarCloud organization key
  • SONARCLOUD_PROJECT - Your project key

Option 1: Use .env.local (Recommended) Add to your project's .env.local:

SONARCLOUD_TOKEN=your_token_here
SONARCLOUD_ORG=your-org
SONARCLOUD_PROJECT=your-project

Before querying, load environment variables:

# Load .env.local into current environment
export $(grep -v '^#' .env.local | xargs)

Option 2: Export directly

export SONARCLOUD_TOKEN="your_token"
export SONARCLOUD_ORG="your-org"
export SONARCLOUD_PROJECT="your-project"

# Common queries
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/measures/component?component=$PROJECT&metricKeys=bugs,coverage"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/qualitygates/project_status?projectKey=$PROJECT"

Endpoints

EndpointPurposeKey Params
/api/issues/searchBugs, vulnerabilitiestypes, severities, branch, pullRequest
/api/measures/componentCoverage, complexitymetricKeys, branch, pullRequest
/api/qualitygates/project_statusPass/fail statusprojectKey, branch, pullRequest
/api/hotspots/searchSecurity hotspotsprojectKey, status
/api/projects/searchList projectsorganization, q
/api/project_analyses/searchAnalysis historyproject, from, to
/api/measures/search_historyMetrics over timecomponent, metrics, from
/api/components/treeFiles with metricsqualifiers=FIL, metricKeys
/api/duplications/showDuplicate code blockskey (file key), branch
/api/sources/rawRaw source codekey (file key), branch
/api/sources/scmSCM blame infokey, from, to
/api/ce/activityBackground taskscomponent, status, type
/api/qualityprofiles/searchQuality profileslanguage, project
/api/languages/listSupported languages-
/api/project_branches/listProject branchesproject
/api/project_badges/measureSVG badgeproject, metric, branch
/api/rules/searchCoding ruleslanguages, severities, types

Common Filters

Issues: types=BUG,VULNERABILITY,CODE_SMELL | severities=BLOCKER,CRITICAL,MAJOR | resolved=false | inNewCodePeriod=true

Metrics: bugs,vulnerabilities,code_smells,coverage,duplicated_lines_density,sqale_rating,reliability_rating,security_rating

New Code: new_bugs,new_vulnerabilities,new_coverage,new_duplicated_lines_density

Workflows

Health Check

curl ... "/api/qualitygates/project_status?projectKey=$PROJECT"
curl ... "/api/measures/component?component=$PROJECT&metricKeys=bugs,vulnerabilities,coverage,sqale_rating"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false&facets=severities,types&ps=1"

PR Analysis

curl ... "/api/qualitygates/project_status?projectKey=$PROJECT&pullRequest=123"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&pullRequest=123&resolved=false"
curl ... "/api/measures/component?component=$PROJECT&pullRequest=123&metricKeys=new_bugs,new_coverage"

Security Audit

curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&types=VULNERABILITY&resolved=false"
curl ... "/api/hotspots/search?projectKey=$PROJECT&status=TO_REVIEW"

Duplication Analysis

# Get duplication metrics
curl ... "/api/measures/component?component=$PROJECT&metricKeys=duplicated_lines,duplicated_lines_density,duplicated_blocks,duplicated_files"

# Get files with most duplication
curl ... "/api/components/tree?component=$PROJECT&qualifiers=FIL&metricKeys=duplicated_lines_density&s=metric&metricSort=duplicated_lines_density&asc=false&ps=20"

# Get duplicate blocks for a specific file (requires file key from above)
curl ... "/api/duplications/show?key=my-project:src/utils/helpers.ts"

Response Processing

# Count by severity
curl ... | jq '.issues | group_by(.severity) | map({severity: .[0].severity, count: length})'

# Failed quality gate conditions
curl ... | jq '.projectStatus.conditions | map(select(.status == "ERROR"))'

# Metrics as key-value
curl ... | jq '.component.measures | map({(.metric): .value}) | add'

Detailed Reference

For complete API parameters and response schemas, see references/api-reference.md.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Research

parallel-deep-research

No summary provided by upstream source.

Repository SourceNeeds Review
13-harshanandak
General

parallel-web-extract

No summary provided by upstream source.

Repository SourceNeeds Review
12-harshanandak
General

parallel-data-enrichment

No summary provided by upstream source.

Repository SourceNeeds Review
11-harshanandak
General

parallel-web-search

No summary provided by upstream source.

Repository SourceNeeds Review
11-harshanandak