edercnj/x-security-sonar
java/src/main/resources/targets/claude/skills/conditional/security/x-security-sonar/SKILL.md
Integrates with SonarQube/SonarCloud for security hotspot tracking, quality gate enforcement, and SARIF output from findings.
testing
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add edercnj/ia-dev-environment x-security-sonarInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 21, 2026, 8:49 AM51.7s2 files scanned
SKILL.md
- name:
- x-security-sonar
- description:
- Integrates with SonarQube/SonarCloud for security hotspot tracking, quality gate enforcement, and SARIF output from findings.
- user-invocable:
- true
- allowed-tools:
- Read, Write, Edit, Bash, Grep, Glob
- argument-hint:
- --server <url> --token <token> [--quality-gate default|strict] [--project-key <key>] [--branch <branch>] [--timeout <seconds>]
Global Output Policy
- Language: English ONLY.
- Tone: Technical, Direct, and Concise.
- Efficiency: Remove all conversational fillers and greetings to save tokens.
Skill: SonarQube Quality Gate
Purpose
Integrate with SonarQube or SonarCloud to generate sonar-project.properties, execute SonarScanner, poll quality gate status, and produce SARIF output with a Markdown report. Support default and strict quality gate modes for security hotspot tracking and vulnerability enforcement.
Activation Condition
Include this skill when security.qualityGate.provider is not "none" in the project configuration.
Triggers
/x-security-sonar --server https://sonar.example.com --token squ_abc123...-- default quality gate/x-security-sonar --server https://sonar.example.com --token squ_abc123... --quality-gate strict-- strict mode for release pipeline/x-security-sonar --server https://sonar.example.com --token squ_abc123... --project-key my-service --branch release/1.0-- custom project key and branch
Parameters
| Parameter | Type | Required | Default | Description |
|-----------|------|----------|---------|-------------|
| --server | String | Yes | -- | SonarQube/SonarCloud server URL |
| --token | String | Yes | -- | Authentication token (min 40 chars) |
| --quality-gate | String | No | default | Quality gate mode: default, strict |
| --project-key | String | No | auto-detect | Project key in SonarQube |
| --branch | String | No | current branch | Branch for analysis |
| --timeout | Integer | No | 300 | Polling timeout in seconds (30-3600) |
Knowledge Pack References
| Pack | Files | Purpose |
|------|-------|---------|
| security | skills/security/references/security-principles.md | Data classification, input validation, fail-secure patterns |
| security | skills/security/references/application-security.md | OWASP Top 10, security headers, secrets management |
Prerequisites
- SonarScanner CLI installed and available on PATH
- SonarQube/SonarCloud server accessible from CI environment
- Authentication token with
Execute Analysispermission - {{FRAMEWORK}} project with {{BUILD_TOOL}} build system
Workflow
Step 1 — Validate Parameters
- Verify
--serveris a reachable HTTP/HTTPS URL - Verify
--tokenis non-empty and at least 40 characters - If server unreachable, abort with:
SonarQube server unreachable: <url> - If token invalid (401), abort with:
SonarQube authentication failed
Step 2 — Auto-Detect Project Configuration
Detect language, source directories, test directories, and project key from build files.
Step 3 — Generate sonar-project.properties
Generate the properties file with auto-detected values including language-specific properties.
Step 4 — Execute SonarScanner
sonar-scanner \
-Dsonar.host.url=<server-url> \
-Dsonar.token=<token> \
-Dsonar.branch.name=<branch> \
-Dsonar.projectKey=<project-key>
Capture the task ID from scanner output for polling.
Step 5 — Poll Quality Gate Status
- Endpoint:
GET /api/qualitygates/project_status?analysisId=<id> - Polling interval: 10 seconds
- Timeout: configurable via
--timeout(default: 300s) - Terminal states:
OK,ERROR
Step 6 — Evaluate Quality Gate Result
Default Mode: Use the quality gate configured on the SonarQube server.
Strict Mode: Enforce stricter thresholds:
| Metric | Threshold | Operator |
|--------|-----------|----------|
| new_vulnerabilities | 0 | GT |
| security_hotspots_reviewed | 100% | LT |
| security_rating | A (1) | GT |
| duplicated_lines_density | 3% | GT |
| coverage | 95% | LT |
Step 7 — Generate Reports
- Convert SonarQube findings to SARIF 2.1.0 format
- Generate Markdown report with quality gate status, metrics, and recommendations
Error Handling
| Scenario | Action |
|----------|--------|
| Server unreachable | Abort with SonarQube server unreachable: <url>, verify URL and network |
| Authentication failed | Abort with SonarQube authentication failed: 401, verify token |
| Polling timeout | Report last known status with analysis ID, suggest increasing timeout |
| Scanner not found | Abort with SonarScanner not found on PATH, provide install instructions |
| Invalid project key | Abort with Invalid project key format, suggest pattern [a-zA-Z0-9_:.-]+ |
CI Integration
GitHub Actions
- name: SonarQube Quality Gate
run: |
sonar-scanner \
-Dsonar.host.url=${{ '{{' }} secrets.SONAR_HOST_URL {{ '}}' }} \
-Dsonar.token=${{ '{{' }} secrets.SONAR_TOKEN {{ '}}' }} \
-Dsonar.branch.name=${{ '{{' }} github.ref_name {{ '}}' }} \
-Dsonar.qualitygate.wait=true
GitLab CI
sonarqube-check:
stage: quality
image: sonarsource/sonar-scanner-cli:latest
script:
- sonar-scanner
-Dsonar.host.url=${SONAR_HOST_URL}
-Dsonar.token=${SONAR_TOKEN}
-Dsonar.qualitygate.wait=true
Review Checklist
- [ ]
sonar-project.propertiesgenerated with correct source/test directories - [ ] SonarScanner executed with proper authentication
- [ ] Quality gate status polled until terminal state or timeout
- [ ] All conditions evaluated against configured thresholds
- [ ] SARIF output includes security hotspots and vulnerabilities
- [ ] Markdown report includes all metrics with pass/fail status
- [ ] Error messages include actionable recovery guidance
- [ ] Strict mode enforces zero-vulnerability and 100% hotspot review
- [ ] Token and credentials are NEVER logged or exposed in output
Related Skills
edercnj/helidon-scaffold
testing
VerifiedTrustedCommunity
Scaffolds a Helidon SE/MP service with routing, health, config, Dockerfile, and tests.
SKILL.mdUpdated May 17, 2026
edercnj/picocli-command
tools
VerifiedTrustedCommunity
Generates a Picocli @Command with subcommands, options, converters, and unit tests.
SKILL.mdUpdated May 15, 2026
edercnj/micronaut-scaffold
testing
VerifiedTrustedCommunity
Scaffolds a Micronaut service with @Controller, DI, health, Dockerfile, and tests.
SKILL.mdUpdated May 12, 2026
edercnj/helidon-scaffold
testing
VerifiedTrustedCommunity
Scaffolds a Helidon SE/MP service with routing, health, config, Dockerfile, and tests.
SKILL.mdUpdated May 9, 2026