원클릭으로
sonar-fix
Parse sonarcloud[bot] PR comments, classify findings, codify whitelisted auto-fixes, escalate the rest.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Parse sonarcloud[bot] PR comments, classify findings, codify whitelisted auto-fixes, escalate the rest.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Clean up merged and stale branches from local and remote repositories. Use when branch list is cluttered or after merging PRs.
Generate document index files (manifest, bundles, graph, router) for project documentation. Creates docs/.index/ with searchable registry, feature-grouped bundles, cross-reference dependency graph, and query routing. Supports flat mode (generic projects, script-driven) and grouped mode (projects with doc_id frontmatter, Claude-curated).
Comprehensive markdown document review - anchors, accuracy, SSOT, cross-references, and redundancy analysis.
Enforce complete implementation of all tiers/difficulty levels for tiered features. Prevents partial implementations.
Create well-structured GitHub issues using the 5W1H framework with proper labels and acceptance criteria.
Automate GitHub issue workflow - select issue, create branch, implement, build, test, and create PR.
| name | sonar-fix |
| description | Parse sonarcloud[bot] PR comments, classify findings, codify whitelisted auto-fixes, escalate the rest. |
| argument-hint | [pr-number] [--dry-run] |
| user-invocable | true |
| disable-model-invocation | true |
| allowed-tools | Bash(gh *) |
| max_iterations | 3 |
| halt_conditions | [{"type":"success","expr":"sonarcloud[bot] reports Quality Gate PASS"},{"type":"fallback","expr":"no rule matches whitelist after 3 attempts"},{"type":"limit","expr":"3 identical re-scan failures"}] |
| loop_safe | false |
| severity | S2 |
| finding_levels | ["S1","S2","S3"] |
| iso_class | none |
| Argument | Purpose |
|---|---|
[pr-number] | PR to process. If omitted, auto-detect the current branch's open PR (mirrors ci-fix). |
--dry-run | Classify and print the proposed actions only; do not post comments or write files. |
When pr-number is omitted, resolve it from the current branch's open PR
before classifying:
PR_NUMBER=$(gh pr list --head "$(git branch --show-current)" --json number -q '.[0].number')
If no open PR is found for the current branch, halt and ask the user to
pass an explicit pr-number.
The sonar-fix skill processes PR decoration emitted by SonarQube Cloud
via the sonarcloud[bot] GitHub account. It parses the bot's summary
and inline review comments, classifies each finding by rule and
severity, and follows a classify -> fix -> escalate flow. Whitelisted
rules (see reference/auto-fixable-rules.md) are eligible for codified
auto-fixes in later phases; everything else is escalated back to the
PR author as a single consolidated comment. No SonarQube REST API
tokens are required; the bot's PR comments are the only data source.
The skill reads two channels from the PR conversation:
sonarcloud[bot] summary comment, which carries the
Quality Gate verdict (PASS or FAIL).sonarcloud[bot] inline review comments, one per finding,
anchored to a diff line.For every inline comment, the parser extracts rule_id, severity,
file:line, and message, producing a (rule_id, severity) mapping
keyed by location. The parsing contract is captured in
reference/comment-format.md and must be treated as the single source
of truth for regex and field layout.
After classification the skill posts a single comment to the PR with a breakdown table: total findings, count per rule, count per severity, and which findings are eligible for auto-fix versus escalation. The comment is idempotent across runs so re-scans replace rather than append.
Findings that do not match an entry in the auto-fix whitelist are
reported using the body in reference/escalation-template.md. The
escalation comment is also idempotent: a single HTML marker comment
identifies prior escalations from this skill so subsequent runs update
the existing comment instead of stacking new ones.
The skill stops in three cases, paraphrased from the frontmatter:
sonarcloud[bot] summary reports Quality
Gate PASS, meaning no further action is needed.After classification, each finding is routed by whitelist match:
reference/auto-fixable-rules.md and apply the codified fix
exactly as specified in its Before/After section.reference/escalation-template.md and accumulate it for the single
consolidated escalation comment.All fixes must be idempotent — running the skill twice on the same
PR must produce the same tree on the second run as on the first. Rules
that declare a Safety section (S1481 RHS side-effect, S1128
side-effect import, S1854 RHS side-effect, S1192 semantic divergence /
naming ambiguity, S125 intentional-marker comments, S1116 intentional
empty body) MUST escalate rather than auto-fix when the safety predicate
cannot be evaluated with certainty. When in doubt, escalate.
When the skill is invoked with --dry-run:
git diff style) of the fixes it
would apply to stdout so the operator can review the change set
before re-running without --dry-run.<!-- sonar-fix:dry-run --> so subsequent dry-run invocations
replace the prior preview comment rather than stacking.After review, re-invoke the skill on the same PR without --dry-run
to apply the previewed diff.
Auto-fix commits authored by this skill follow:
fix(sonar): <rule-id> -- <short reason>
Examples:
fix(sonar): S1481 -- remove unused local in cli/main.pyfix(sonar): S1128 -- remove unused import in api/handlers.pyRefer to parent epic #635 for the full rationale.
Skill Aliases table in
global/CLAUDE.md: deferred to P5.security_hotspot or vulnerability findings: out of
scope by policy — these require human review and never qualify for
codified auto-fixes.This skill is loop_safe: false. It pushes fix commits to live PRs and replies to SonarCloud bot comments. Re-running would push duplicate commits or re-process already-handled findings. Run it once per PR review cycle; resume rather than re-invoke.