// Search for software composition analysis (SCA) dependency risks in a SonarQube project (project key optional when MCP integration already defines the default project)
| name | sonar-dependency-risks |
| description | Search for software composition analysis (SCA) dependency risks in a SonarQube project (project key optional when MCP integration already defines the default project) |
| argument-hint | [project-key?] [--branch name] [--pr id] |
| allowed-tools | Read, Grep |
Search for dependency risks (software composition analysis issues) in a SonarQube project, paired with the releases that appear in the analysed project, application, or portfolio.
sonar-dependency-risks # risks in the current project
sonar-dependency-risks my-project # risks in a specific project
sonar-dependency-risks my-project --branch feature/auth
sonar-dependency-risks my-project --pr 42
This skill requires SonarQube Advanced Security (available on SonarQube Cloud Enterprise plan, or SonarQube Server 2025.4 Enterprise edition or higher), the SonarQube MCP Server to be configured, and the tool mcp__sonarqube__search_dependency_risks to be available in your session.
Before proceeding, verify the tool is accessible. If it is not, do not attempt to call any CLI commands or invent alternatives, and show the user:
Unable to fetch dependency risks.
Possible causes:
- This feature requires SonarQube Advanced Security — available on SonarQube Cloud Enterprise edition, or SonarQube Server 2025.4 Enterprise or higher
- MCP server not registered — invoke the sonar-integrate skill to configure the SonarQube MCP Server, then restart the agent session
- Credentials not configured — invoke the sonar-integrate skill
- Project key is wrong or no default project in MCP config — pass an explicit key, or verify
sonar-project.properties/ re-run the sonar-integrate skill for this project
Then ask the user (yes/no) whether to run the sonar-integrate skill now. If they confirm, invoke the sonar-integrate skill yourself and follow it end-to-end in this session, then ask the user to restart the agent session so the new MCP tools become available; if they decline, stop.
MCP tools sometimes do not require projectKey after the sonar-integrate skill has stored the default project for this workspace. Resolve a key only when you must pass it (tool schema requires it, or the user targets another project):
sonar.projectKey in sonar-project.properties at the repo root.projectKey in MCP calls and rely on the integration default.| Flag | Maps to parameter |
|---|---|
--branch <name> | branchKey |
--pr <id> | pullRequestKey |
mcp__sonarqube__search_dependency_risksInclude projectKey only if you resolved one in Step 1 and the tool requires it; otherwise omit it.
{
"projectKey": "<only-if-required>",
"branchKey": "<name>", // if --branch was given
"pullRequestKey": "<id>" // if --pr was given
}
Omit projectKey from the payload when the integration default applies. Omit unused optional fields.
If risks are found, group by severity and present as a table:
## Dependency Risks — `my-project` (branch: `main`)
Found **5 dependency risk(s)**:
### Critical
| Dependency | Version | Risk | CVE |
| ---------- | ------- | --------------------- | -------------- |
| log4j-core | 2.14.1 | Remote code execution | CVE-2021-44228 |
### High
| Dependency | Version | Risk | CVE |
| ---------------- | ------- | ----------------------------- | -------------- |
| jackson-databind | 2.12.3 | Deserialization vulnerability | CVE-2021-46877 |
| commons-text | 1.9 | Remote code execution | CVE-2022-42889 |
### Medium
| Dependency | Version | Risk | CVE |
| ------------- | ------- | ----------------- | -------------- |
| spring-web | 5.3.18 | DoS vulnerability | CVE-2022-22965 |
| netty-handler | 4.1.68 | SSL/TLS issue | CVE-2021-43797 |
Omit columns that are not present in the response. Omit severity sections that have no risks.
If no risks are found:
## Dependency Risks — `my-project`
✅ No dependency risks found.
<dependency> to a safe version."sonar.projectKey in the repo) with filters as needed — sonar list issues always requires -p."Installs sonarqube-cli if not already installed, authenticates, and integrates SonarQube with the current agent (installs analysis hooks & SonarQube MCP Server). Use when the user wants to set up SonarQube integration or asks to configure SonarQube.
Analyze a file or code snippet for quality and security issues using SonarQube
Find files with low test coverage and inspect uncovered lines in a SonarQube project (project key optional when MCP integration already defines the default project)
Find files with code duplications in a SonarQube project and inspect duplication blocks for a file (project key optional when MCP integration already defines the default project)
Fix a specific SonarQube issue in code by rule key and location
Search and filter SonarQube issues for a project, branch, or pull request via sonarqube-cli (`-p` is always required on the CLI; resolve the key from user arguments or sonar-project.properties)