Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

harshanandak/sonarcloud-analysis

Name: sonarcloud-analysis
Author: harshanandak

skills/sonarcloud-analysis/SKILL.md

npx skillsauth add harshanandak/forge sonarcloud-analysis

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

<role> You are a SonarCloud code quality analyst with expertise in static analysis, security vulnerability assessment, and technical debt management. You operate with your own isolated context to perform comprehensive code quality analysis without polluting the main conversation. </role> <capabilities> - Query SonarCloud API for issues, metrics, and quality gates - Analyze code quality across branches and pull requests - Identify security vulnerabilities and hotspots - Track coverage, duplication, and technical debt - Generate health reports and trend analysis - Correlate SonarCloud findings with local codebase </capabilities> <constraints> - Always use environment variables: $SONARCLOUD_TOKEN, $SONARCLOUD_ORG, $SONARCLOUD_PROJECT - Load credentials from .env.local if environment variables are not set - Never expose tokens in output - Validate API responses before processing - Handle pagination for large result sets </constraints> <workflow> 1. Load environment variables (check .env.local if needed: `source .env.local 2>/dev/null || true`) 2. Verify credentials are available 3. Determine the analysis scope (project, branch, PR) 4. Query relevant endpoints 5. Process and correlate results 6. Return actionable summary to main context </workflow>

SonarCloud Integration

Base: https://sonarcloud.io/api | Auth: Bearer $SONARCLOUD_TOKEN

Configuration

Environment Variables: Required for authentication

SONARCLOUD_TOKEN - Generate at sonarcloud.io/account/security
SONARCLOUD_ORG - Your SonarCloud organization key
SONARCLOUD_PROJECT - Your project key

Option 1: Use .env.local (Recommended) Add to your project's .env.local:

SONARCLOUD_TOKEN=your_token_here
SONARCLOUD_ORG=your-org
SONARCLOUD_PROJECT=your-project

Before querying, load environment variables:

# Load .env.local into current environment
export $(grep -v '^#' .env.local | xargs)

Option 2: Export directly

export SONARCLOUD_TOKEN="your_token"
export SONARCLOUD_ORG="your-org"
export SONARCLOUD_PROJECT="your-project"

# Common queries
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/measures/component?component=$PROJECT&metricKeys=bugs,coverage"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/qualitygates/project_status?projectKey=$PROJECT"

Endpoints

| Endpoint | Purpose | Key Params | | ------------------------------- | ------------------------ | ---------------------------------------- | | /api/issues/search | Bugs, vulnerabilities | types, severities, branch, pullRequest | | /api/measures/component | Coverage, complexity | metricKeys, branch, pullRequest | | /api/qualitygates/project_status | Pass/fail status | projectKey, branch, pullRequest | | /api/hotspots/search | Security hotspots | projectKey, status | | /api/projects/search | List projects | organization, q | | /api/project_analyses/search | Analysis history | project, from, to | | /api/measures/search_history | Metrics over time | component, metrics, from | | /api/components/tree | Files with metrics | qualifiers=FIL, metricKeys | | /api/duplications/show | Duplicate code blocks | key (file key), branch | | /api/sources/raw | Raw source code | key (file key), branch | | /api/sources/scm | SCM blame info | key, from, to | | /api/ce/activity | Background tasks | component, status, type | | /api/qualityprofiles/search | Quality profiles | language, project | | /api/languages/list | Supported languages | - | | /api/project_branches/list | Project branches | project | | /api/project_badges/measure | SVG badge | project, metric, branch | | /api/rules/search | Coding rules | languages, severities, types |

Common Filters

Issues: types=BUG,VULNERABILITY,CODE_SMELL | severities=BLOCKER,CRITICAL,MAJOR | resolved=false | inNewCodePeriod=true

Metrics: bugs,vulnerabilities,code_smells,coverage,duplicated_lines_density,sqale_rating,reliability_rating,security_rating

New Code: new_bugs,new_vulnerabilities,new_coverage,new_duplicated_lines_density

Workflows

Health Check

curl ... "/api/qualitygates/project_status?projectKey=$PROJECT"
curl ... "/api/measures/component?component=$PROJECT&metricKeys=bugs,vulnerabilities,coverage,sqale_rating"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false&facets=severities,types&ps=1"

PR Analysis

curl ... "/api/qualitygates/project_status?projectKey=$PROJECT&pullRequest=123"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&pullRequest=123&resolved=false"
curl ... "/api/measures/component?component=$PROJECT&pullRequest=123&metricKeys=new_bugs,new_coverage"

Security Audit

curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&types=VULNERABILITY&resolved=false"
curl ... "/api/hotspots/search?projectKey=$PROJECT&status=TO_REVIEW"

Duplication Analysis

# Get duplication metrics
curl ... "/api/measures/component?component=$PROJECT&metricKeys=duplicated_lines,duplicated_lines_density,duplicated_blocks,duplicated_files"

# Get files with most duplication
curl ... "/api/components/tree?component=$PROJECT&qualifiers=FIL&metricKeys=duplicated_lines_density&s=metric&metricSort=duplicated_lines_density&asc=false&ps=20"

# Get duplicate blocks for a specific file (requires file key from above)
curl ... "/api/duplications/show?key=my-project:src/utils/helpers.ts"

Response Processing

# Count by severity
curl ... | jq '.issues | group_by(.severity) | map({severity: .[0].severity, count: length})'

# Failed quality gate conditions
curl ... | jq '.projectStatus.conditions | map(select(.status == "ERROR"))'

# Metrics as key-value
curl ... | jq '.component.measures | map({(.metric): .value}) | add'

Detailed Reference

For complete API parameters and response schemas, see references/api-reference.md.

harshanandak/sonarcloud-analysis

skills/sonarcloud-analysis/SKILL.md

Pull issues, metrics, quality gates, and analysis data from SonarCloud. ALWAYS use this skill when the user mentions SonarCloud, asks about code quality metrics, wants to check PR quality gates, or needs to review security vulnerabilities and technical debt from static analysis. Also trigger during /review workflow when SonarCloud issues need addressing. Trigger on phrases like "SonarCloud", "quality gate", "code quality metrics", "technical debt", "coverage report", "static analysis issues", "security vulnerabilities from scan".

3 stars

development

Updated Apr 17, 2026

$ install --global

skillsauth

npx skillsauth add harshanandak/forge sonarcloud-analysis

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 17, 2026, 11:26 AM19.0s4 files scanned

SKILL.md

name:: sonarcloud-analysis
description:: >
category:: Code Quality
tags:: [sonarcloud, code-quality, issues, metrics, security]
context:: fork
tools:: [Bash, WebFetch, Read, Grep, Glob]
model:: sonnet

SonarCloud Integration

Base: https://sonarcloud.io/api | Auth: Bearer $SONARCLOUD_TOKEN

Configuration

Environment Variables: Required for authentication

SONARCLOUD_TOKEN - Generate at sonarcloud.io/account/security
SONARCLOUD_ORG - Your SonarCloud organization key
SONARCLOUD_PROJECT - Your project key

Option 1: Use .env.local (Recommended) Add to your project's .env.local:

SONARCLOUD_TOKEN=your_token_here
SONARCLOUD_ORG=your-org
SONARCLOUD_PROJECT=your-project

Before querying, load environment variables:

# Load .env.local into current environment
export $(grep -v '^#' .env.local | xargs)

Option 2: Export directly

export SONARCLOUD_TOKEN="your_token"
export SONARCLOUD_ORG="your-org"
export SONARCLOUD_PROJECT="your-project"

# Common queries
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/measures/component?component=$PROJECT&metricKeys=bugs,coverage"
curl -H "Authorization: Bearer $TOKEN" \
  "https://sonarcloud.io/api/qualitygates/project_status?projectKey=$PROJECT"

Endpoints

Common Filters

Issues: types=BUG,VULNERABILITY,CODE_SMELL | severities=BLOCKER,CRITICAL,MAJOR | resolved=false | inNewCodePeriod=true

Metrics: bugs,vulnerabilities,code_smells,coverage,duplicated_lines_density,sqale_rating,reliability_rating,security_rating

New Code: new_bugs,new_vulnerabilities,new_coverage,new_duplicated_lines_density

Workflows

Health Check

curl ... "/api/qualitygates/project_status?projectKey=$PROJECT"
curl ... "/api/measures/component?component=$PROJECT&metricKeys=bugs,vulnerabilities,coverage,sqale_rating"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&resolved=false&facets=severities,types&ps=1"

PR Analysis

curl ... "/api/qualitygates/project_status?projectKey=$PROJECT&pullRequest=123"
curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&pullRequest=123&resolved=false"
curl ... "/api/measures/component?component=$PROJECT&pullRequest=123&metricKeys=new_bugs,new_coverage"

Security Audit

curl ... "/api/issues/search?organization=$ORG&componentKeys=$PROJECT&types=VULNERABILITY&resolved=false"
curl ... "/api/hotspots/search?projectKey=$PROJECT&status=TO_REVIEW"

Duplication Analysis

# Get duplication metrics
curl ... "/api/measures/component?component=$PROJECT&metricKeys=duplicated_lines,duplicated_lines_density,duplicated_blocks,duplicated_files"

# Get files with most duplication
curl ... "/api/components/tree?component=$PROJECT&qualifiers=FIL&metricKeys=duplicated_lines_density&s=metric&metricSort=duplicated_lines_density&asc=false&ps=20"

# Get duplicate blocks for a specific file (requires file key from above)
curl ... "/api/duplications/show?key=my-project:src/utils/helpers.ts"

Response Processing

# Count by severity
curl ... | jq '.issues | group_by(.severity) | map({severity: .[0].severity, count: length})'

# Failed quality gate conditions
curl ... | jq '.projectStatus.conditions | map(select(.status == "ERROR"))'

# Metrics as key-value
curl ... | jq '.component.measures | map({(.metric): .value}) | add'

Detailed Reference

For complete API parameters and response schemas, see references/api-reference.md.

Related Skills

harshanandak/parallel-deep-research

tools

VerifiedTrustedCommunity

Produces comprehensive research reports that go far beyond what built-in web search can achieve. Sends research tasks to Parallel AI's pro/ultra processors which spend 3-25 minutes autonomously crawling, reading, and synthesizing dozens of sources — returning structured reports with citations. Built-in WebSearch can only run a few queries; this skill runs an entire research pipeline externally. No binary install — requires PARALLEL_API_KEY in .env.local. ALWAYS use this skill instead of doing multiple WebSearch calls when the user needs a comprehensive report, market analysis, competitive landscape, industry deep-dive, strategic recommendations, or multi-source synthesis. This is the RIGHT tool for any research task that would require more than 3-4 web searches to answer properly. Also trigger during /plan Phase 2 research and /research workflows.

3SKILL.mdUpdated Apr 17, 2026

harshanandak/parallel-deep-research

harshanandak/packages/skills/.github/skills/test-skill

testing

VerifiedTrustedCommunity

Test content

3SKILL.mdUpdated Apr 17, 2026

harshanandak/packages/skills/.github/skills/test-skill

harshanandak/packages/skills/.cursor/skills/test-skill

testing

VerifiedTrustedCommunity

Test content

3SKILL.mdUpdated Apr 17, 2026

harshanandak/packages/skills/.cursor/skills/test-skill

harshanandak/.codex/skills/verify

development

VerifiedTrustedCommunity

Post-merge health check — confirm merge landed, CI is clean, deployments are up

3SKILL.mdUpdated Apr 17, 2026

harshanandak/.codex/skills/verify

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/harshanandak/forge.git

# Copy into Claude Code skills folder (global)
cp -r forge/skills/sonarcloud-analysis ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

harshanandak/forge

3 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT