// Fetch and analyze SonarQube quality metrics for pull requests, reporting on code quality, bugs, vulnerabilities, coverage, and code smells
Automated code review against established patterns before PR creation. Analyzes git diff for critical issues, pattern violations, test coverage, and generates a comprehensive report.
Use this skill when any artifact needs visual evidence of UI state. Invoke automatically when: creating a PR with UI changes (invoke before writing the PR body), updating docs/ with new screenshots, or preparing blog post visuals. Trigger phrases: "I need screenshots", "capture the UI", "show before/after", "add visuals to the PR".
Use this skill when writing user-facing documentation for a blog post, release notes, or feature announcement. Invoke automatically when: the user asks to "write a blog post", "write release notes", "document this feature for users", or "write a feature announcement". Produces structured ~500-word feature write-ups in plain language for non-technical readers (DevOps engineers, system administrators — not frontend developers).
Use this skill when creating or writing a pull request description. Invoke automatically when: the user says "create a PR", "open a pull request", "submit for review", "write the PR body", or "push this for review". If the PR includes UI changes, invoke the capture-screenshots skill before writing the description.
Use this skill when a Cypress test is failing and the cause is not immediately obvious. Invoke automatically when: a test throws "element not found", "expected to find element", "element is disabled", or any assertion failure. Also invoke before reaching for {force: true}, cy.wait(), or rewriting a test from scratch — investigate first.
Review technical documentation against the HiveMQ writing guidelines, producing a structured quality report with actionable findings per file
| name | sonarqube |
| description | Fetch and analyze SonarQube quality metrics for pull requests, reporting on code quality, bugs, vulnerabilities, coverage, and code smells |
Automatically fetches and analyzes SonarQube quality metrics for pull requests, providing insights on code quality, test coverage, bugs, vulnerabilities, and technical debt.
This skill requires several conditions to be met before execution:
Objective: Verify a pull request exists for the current branch
Commands:
# Get current branch
git branch --show-current
# Check if PR exists
gh pr view --json number,title,state,url
Failure handling:
Example output:
✅ PR #1386 found: "feat: Frontend Ownership Tracking for Data Combiners"
Status: OPEN
URL: https://github.com/hivemq/hivemq-edge/pull/1386
Objective: Ensure SonarQube analysis GitHub Action has completed
Commands:
# Get PR number from Hook 1
PR_NUMBER=$(gh pr view --json number -q .number)
# Check GH Actions status for this PR
gh pr checks $PR_NUMBER --json name,conclusion,status,detailsUrl
# Filter for SonarQube-related workflow
gh pr checks $PR_NUMBER --json name,conclusion,status,detailsUrl | \
jq '.[] | select(.name | contains("SonarQube") or contains("sonarcloud") or contains("Code Quality"))'
Expected workflow names:
Statuses:
conclusion: "success" → Proceed to Hook 3status: "in_progress" → Wait or report estimated timeconclusion: "failure" → Report failure, show logs URL, ask if should continue anywayconclusion: "cancelled" → Report cancellation, suggest re-runFailure handling:
Example output:
✅ SonarQube Analysis: PASSED
Duration: 2m 34s
Completed: 5 minutes ago
Details: https://github.com/hivemq/hivemq-edge/actions/runs/12345
Objective: Verify SonarQube has analysis data for this PR
API Endpoint:
GET https://sonarcloud.io/api/measures/component
?component={project_key}
&pullRequest={pr_number}
&metricKeys=alert_status,bugs,vulnerabilities,code_smells,coverage,duplicated_lines_density
Fallback if PR data not found:
Configuration (from config.yaml):
sonarcloud:
base_url: https://sonarcloud.io
organization: hivemq
project_key: hivemq_hivemq-edge
api_version: v1
Failure handling:
Example output:
✅ SonarQube data available for PR #1386
Analysis date: 2026-02-10 14:32 UTC
New code period: 2026-02-09 to 2026-02-10
# Analyze current PR (auto-detect)
/sonarqube
# Analyze specific PR by number
/sonarqube 1386
# Analyze specific branch
/sonarqube feature/new-feature
# Detailed report (includes file-level metrics)
/sonarqube --detailed
# Quality gate only (quick check)
/sonarqube --quality-gate-only
# Force analysis (bypass hooks)
/sonarqube 1386 --force
[PR number]: PR number (e.g., 1386) - auto-detected if omitted[branch]: Branch name (e.g., feature/new-feature) - auto-detected if omitted--detailed: Include file-level hotspots, detailed metrics--quality-gate-only: Show only pass/fail status--force: Skip Hook 1 and Hook 2 (go directly to Hook 3)Execute Hook 1, Hook 2, Hook 3 in sequence. If any fail:
--force)Skip with:
/sonarqube --force # Skip PR and GH action checks
API Call:
curl -s "https://sonarcloud.io/api/qualitygates/project_status?projectKey=hivemq_hivemq-edge&pullRequest=${PR_NUMBER}"
Extract:
PASSED / FAILED / ERRORParse JSON:
{
"projectStatus": {
"status": "OK",
"conditions": [
{
"status": "OK",
"metricKey": "new_coverage",
"comparator": "LT",
"errorThreshold": "80",
"actualValue": "85.3"
}
]
}
}
API Call:
curl -s "https://sonarcloud.io/api/measures/component?component=hivemq_hivemq-edge&pullRequest=${PR_NUMBER}&metricKeys=alert_status,bugs,new_bugs,vulnerabilities,new_vulnerabilities,code_smells,new_code_smells,coverage,new_coverage,duplicated_lines_density,new_duplicated_lines_density,security_hotspots,new_security_hotspots,sqale_rating,new_maintainability_rating,reliability_rating,new_reliability_rating,security_rating,new_security_rating,ncloc,new_lines"
Metrics to fetch:
Quality Gate:
alert_status - Overall gate statusBugs:
bugs - Total bugs (overall code)new_bugs - Bugs in new code (PR changes)Vulnerabilities:
vulnerabilities - Total vulnerabilitiesnew_vulnerabilities - Vulnerabilities in new codeCode Smells:
code_smells - Total code smellsnew_code_smells - Code smells in new codeCoverage:
coverage - Overall test coverage %new_coverage - Test coverage % for new codeDuplications:
duplicated_lines_density - % of duplicated lines (overall)new_duplicated_lines_density - % duplications in new codeSecurity Hotspots:
security_hotspots - Total security hotspotsnew_security_hotspots - Security hotspots in new codeRatings (A-E scale):
sqale_rating / new_maintainability_rating - Maintainabilityreliability_rating / new_reliability_rating - Reliabilitysecurity_rating / new_security_rating - SecurityLines of Code:
ncloc - Total lines of codenew_lines - New lines added in PRAPI Call:
curl -s "https://sonarcloud.io/api/issues/search?componentKeys=hivemq_hivemq-edge&pullRequest=${PR_NUMBER}&statuses=OPEN,CONFIRMED,REOPENED&ps=100"
Group by:
BLOCKER, CRITICAL, MAJOR, MINOR, INFOBUG, VULNERABILITY, CODE_SMELL, SECURITY_HOTSPOTGenerate a formatted markdown report with the following structure:
# SonarQube Analysis: PR #{pr_number}
**Project:** hivemq_hivemq-edge
**PR:** #{pr_number} - {pr_title}
**Analysis Date:** {timestamp}
**URL:** https://sonarcloud.io/summary/new_code?id=hivemq_hivemq-edge&pullRequest={pr_number}
---
## Quality Gate: {PASSED / FAILED}
{emoji} **{status_message}**
{If failed, list failing conditions}
---
## New Code Metrics (PR Changes)
| Metric | Value | Status | Threshold |
| -------------------- | ------------------------------- | ---------- | --------- |
| 🐛 Bugs | {new_bugs} | {✅/❌} | 0 |
| 🔒 Vulnerabilities | {new_vulnerabilities} | {✅/❌} | 0 |
| 💡 Code Smells | {new_code_smells} | {✅/⚠️/❌} | < 10 |
| 📊 Coverage | {new_coverage}% | {✅/⚠️/❌} | > 80% |
| 📋 Duplications | {new_duplicated_lines_density}% | {✅/⚠️/❌} | < 3% |
| 🔐 Security Hotspots | {new_security_hotspots} | {✅/⚠️/❌} | 0 |
---
## Overall Project Metrics
| Metric | Value | Rating | Trend |
| ------------------------ | ----------------- | -------- | -------------- |
| 🐛 Total Bugs | {bugs} | {rating} | {↑/↓/→} |
| 🔒 Total Vulnerabilities | {vulnerabilities} | {rating} | {↑/↓/→} |
| 💡 Total Code Smells | {code_smells} | {rating} | {↑/↓/→} |
| 📊 Overall Coverage | {coverage}% | {rating} | {↑/↓/→} |
| 📏 Lines of Code | {ncloc} | - | (+{new_lines}) |
---
## Ratings
- **Maintainability:** {maintainability_rating} ({A-E})
- **Reliability:** {reliability_rating} ({A-E})
- **Security:** {security_rating} ({A-E})
---
## {If --detailed} Issues Breakdown
### 🔴 Blocker Issues ({count})
{List of blocker issues with file:line}
### 🟠 Critical Issues ({count})
{List of critical issues}
### 🟡 Major Issues ({count})
{List of major issues}
---
## Recommendations
{If bugs > 0}
- ⚠️ **Fix {new_bugs} new bugs** before merging
{If coverage < 80%}
- ⚠️ **Improve test coverage** from {new_coverage}% to at least 80%
{If code_smells > 10}
- 💡 **Address {new_code_smells} code smells** to improve maintainability
{If quality_gate == "FAILED"}
- 🔴 **Quality gate failed** - Address issues above before merging
{If quality_gate == "PASSED"}
- ✅ **Quality gate passed** - Code meets quality standards
---
## Quick Actions
**View full analysis:**
https://sonarcloud.io/summary/new_code?id=hivemq_hivemq-edge&pullRequest={pr_number}
**View issues:**
https://sonarcloud.io/project/issues?id=hivemq_hivemq-edge&pullRequest={pr_number}
**Re-run analysis:**
\```bash
gh pr checks {pr_number} --rerun
\```
Configuration is stored in .claude/skills/sonarqube/config.yaml:
sonarcloud:
# Base URL for SonarCloud API
base_url: https://sonarcloud.io
# Organization key
organization: hivemq
# Project key
project_key: hivemq_hivemq-edge
# API version
api_version: v1
github:
# GitHub repository (owner/repo)
repository: hivemq/hivemq-edge
# Workflow names to check for SonarQube analysis
workflow_names:
- 'SonarQube Analysis'
- 'SonarCloud Scan'
- 'Code Quality'
- 'CI' # Fallback if SonarQube runs in main CI
quality_gate:
# Thresholds for metric interpretation
thresholds:
bugs: 0
vulnerabilities: 0
code_smells_warning: 5
code_smells_error: 10
coverage_warning: 70
coverage_error: 80
duplications_warning: 3
duplications_error: 5
# Rating interpretation (A=1, B=2, C=3, D=4, E=5)
rating_pass: 2 # A or B acceptable
reporting:
# Include detailed issues in report
detailed_by_default: false
# Max issues to show in report (per severity)
max_issues_per_severity: 10
# Show historical trends (requires multiple analyses)
show_trends: true
# Emoji mapping for statuses
emoji:
passed: '✅'
failed: '❌'
warning: '⚠️'
info: 'ℹ️'
bug: '🐛'
vulnerability: '🔒'
code_smell: '💡'
coverage: '📊'
duplications: '📋'
security_hotspot: '🔐'
# Metadata
version: '1.0.0'
last_updated: '2026-02-10'
project: 'hivemq-edge-frontend'
Message:
❌ No pull request found for current branch: {branch_name}
**Next steps:**
1. Create a PR first:
gh pr create --title "Your PR title" --body "Description"
2. Or specify a PR number:
/sonarqube 1386
3. Or force skip PR check:
/sonarqube --force
Message:
⏳ SonarQube analysis is still running...
**Status:** IN_PROGRESS
**Started:** 2 minutes ago
**Estimated completion:** ~3 minutes
**Options:**
1. Wait for completion (will auto-check every 30s)
2. Continue anyway with potentially stale data: /sonarqube --force
3. View action logs: https://github.com/hivemq/hivemq-edge/actions/runs/12345
Message:
❌ SonarQube has no analysis data for PR #1386
**Possible causes:**
1. Analysis hasn't run yet (GH action failed?)
2. PR is too new (analysis in progress)
3. SonarQube configuration issue
**Next steps:**
1. Check GH action status: gh pr checks 1386
2. Re-run GH workflow: gh pr checks 1386 --rerun
3. Wait a few minutes and try again
4. Check SonarQube project settings
Message:
⚠️ SonarCloud API rate limit reached
**Options:**
1. Wait 60 seconds and retry
2. Use web interface: https://sonarcloud.io/summary/new_code?id=hivemq_hivemq-edge&pullRequest={pr_number}
Workflow:
# 1. Run pre-review first (local checks)
/pre-review
# 2. Fix critical issues
# 3. Create PR
gh pr create
# 4. Wait for CI to complete
# 5. Run SonarQube analysis
/sonarqube
# 6. Address SonarQube findings
# 7. Ready to merge!
Combined report:
# Analyze multiple PRs
/sonarqube 1386
/sonarqube 1387
# Compare metrics manually
# Analyze a branch directly
/sonarqube feature/new-feature
# Show how metrics changed over time
/sonarqube 1386 --trends
Test cases:
Happy path:
/sonarqube # Should auto-detect PR and fetch metrics
No PR:
# On a branch without PR
/sonarqube # Should prompt to create PR or use --force
GH action in progress:
/sonarqube # Should wait or show progress
Failed quality gate:
/sonarqube <pr_with_issues> # Should show failing conditions
Detailed report:
/sonarqube --detailed # Should show issue breakdown
Planned features:
Hooks are prerequisite checks that must pass before the main skill logic runs.
Structure:
hooks:
- id: hook-1
name: 'Descriptive Name'
objective: 'What this hook validates'
commands: ['bash command to check']
success_criteria: 'What indicates success'
failure_handling: 'What to do on failure'
can_skip: true/false
skip_flag: '--force'
Hook execution:
can_skip: false, abort skillcan_skip: true, prompt user with optionsskip_flag provided, skip all skippable hooksExample in skill:
### Hook 1: PR Existence Check
**Commands:**
```bash
gh pr view --json number,title,state
```
Success criteria:
"state": "OPEN"Failure handling:
---
**Generated:** 2026-02-10
**Version:** 1.0.0
**Status:** Ready for use