AgentSkillsCN

sonarcloud

从SonarCloud中提取问题、指标、质量门限与分析数据。适用于检查代码质量、安全漏洞、测试覆盖率、技术债务,或CI/CD质量门限的场景。

SKILL.md
--- frontmatter
name: sonarcloud
description: Pull issues, metrics, quality gates, and analysis data from SonarCloud. Use when checking code quality, security vulnerabilities, test coverage, technical debt, or CI/CD quality gates.
category: Code Quality
tags: [sonarcloud, code-quality, issues, metrics, security]
context: fork
tools: [Bash, WebFetch, Read, Grep, Glob]
model: sonnet
<role> You are a SonarCloud code quality analyst with expertise in static analysis, security vulnerability assessment, and technical debt management. You operate with your own isolated context to perform comprehensive code quality analysis without polluting the main conversation. </role> <capabilities> - Query SonarCloud API for issues, metrics, and quality gates - Analyze code quality across branches and pull requests - Identify security vulnerabilities and hotspots - Track coverage, duplication, and technical debt - Generate health reports and trend analysis - Correlate SonarCloud findings with local codebase </capabilities> <constraints> - Always use environment variables: $SONARCLOUD_TOKEN, $SONARCLOUD_ORG, $SONARCLOUD_PROJECT - Never expose tokens in output - Validate API responses before processing - Handle pagination for large result sets </constraints> <workflow> 1. Verify credentials are available 2. Determine the analysis scope (project, branch, PR) 3. Query relevant endpoints 4. Process and correlate results 5. Return actionable summary to main context </workflow>

SonarCloud Integration

Base: https://sonarcloud.io/api | Auth: Bearer $SONARCLOUD_TOKEN

Quick Start

bash
# Set credentials (generate token at sonarcloud.io/account/security)
export SONARCLOUD_TOKEN="your_token"
export SONARCLOUD_ORG="your-org"
export SONARCLOUD_PROJECT="your-project"

# Common queries
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/measures/component?component=$PROJECT&metricKeys=bugs,coverage"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/qualitygates/project_status?projectKey=$PROJECT"

Endpoints

EndpointPurposeKey Params
/api/issues/searchBugs, vulnerabilitiestypes, severities, branch, pullRequest
/api/measures/componentCoverage, complexitymetricKeys, branch, pullRequest
/api/qualitygates/project_statusPass/fail statusprojectKey, branch, pullRequest
/api/hotspots/searchSecurity hotspotsprojectKey, status
/api/projects/searchList projectsorganization, q
/api/project_analyses/searchAnalysis historyproject, from, to
/api/measures/search_historyMetrics over timecomponent, metrics, from
/api/components/treeFiles with metricsqualifiers=FIL, metricKeys
/api/duplications/showDuplicate code blockskey (file key), branch
/api/sources/rawRaw source codekey (file key), branch
/api/sources/scmSCM blame infokey, from, to
/api/ce/activityBackground taskscomponent, status, type
/api/qualityprofiles/searchQuality profileslanguage, project
/api/languages/listSupported languages-
/api/project_branches/listProject branchesproject
/api/project_badges/measureSVG badgeproject, metric, branch
/api/rules/searchCoding ruleslanguages, severities, types

Common Filters

Issues: types=BUG,VULNERABILITY,CODE_SMELL | severities=BLOCKER,CRITICAL,MAJOR | resolved=false | inNewCodePeriod=true

Metrics: bugs,vulnerabilities,code_smells,coverage,duplicated_lines_density,sqale_rating,reliability_rating,security_rating

New Code: new_bugs,new_vulnerabilities,new_coverage,new_duplicated_lines_density

Workflows

Health Check

bash
curl ... "/api/qualitygates/project_status?projectKey=$PROJECT"
curl ... "/api/measures/component?component=$PROJECT&metricKeys=bugs,vulnerabilities,coverage,sqale_rating"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false&facets=severities,types&ps=1"

PR Analysis

bash
curl ... "/api/qualitygates/project_status?projectKey=$PROJECT&pullRequest=123"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&pullRequest=123&resolved=false"
curl ... "/api/measures/component?component=$PROJECT&pullRequest=123&metricKeys=new_bugs,new_coverage"

Security Audit

bash
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&types=VULNERABILITY&resolved=false"
curl ... "/api/hotspots/search?projectKey=$PROJECT&status=TO_REVIEW"

Duplication Analysis

bash
# Get duplication metrics
curl ... "/api/measures/component?component=$PROJECT&metricKeys=duplicated_lines,duplicated_lines_density,duplicated_blocks,duplicated_files"

# Get files with most duplication
curl ... "/api/components/tree?component=$PROJECT&qualifiers=FIL&metricKeys=duplicated_lines_density&s=metric&metricSort=duplicated_lines_density&asc=false&ps=20"

# Get duplicate blocks for a specific file (requires file key from above)
curl ... "/api/duplications/show?key=my-project:src/utils/helpers.ts"

Response Processing

bash
# Count by severity
curl ... | jq '.issues | group_by(.severity) | map({severity: .[0].severity, count: length})'

# Failed quality gate conditions
curl ... | jq '.projectStatus.conditions | map(select(.status == "ERROR"))'

# Metrics as key-value
curl ... | jq '.component.measures | map({(.metric): .value}) | add'

TypeScript Client

See sonarcloud.ts:

typescript
import { createSonarCloudClient } from '@/lib/integrations/sonarcloud';
const client = createSonarCloudClient('my-org');
await client.getProjectHealth('my-project');
await client.getQualityGateStatus('my-project', { pullRequest: '123' });

Detailed Reference

For complete API parameters and response schemas, see reference.md.