Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

lyxjack/springboot-verification

Name: springboot-verification
Author: lyxjack

Tool/everything-claude-code/docs/zh-CN/skills/springboot-verification/SKILL.md

npx skillsauth add lyxjack/toolbox springboot-verification

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Spring Boot 验证循环

在提交 PR 前、重大变更后以及部署前运行。

何时激活

为 Spring Boot 服务开启拉取请求之前
在重大重构或依赖项升级之后
用于暂存或生产环境的部署前验证
运行完整的构建 → 代码检查 → 测试 → 安全扫描流水线
验证测试覆盖率是否满足阈值

阶段 1：构建

mvn -T 4 clean verify -DskipTests
# or
./gradlew clean assemble -x test

如果构建失败，停止并修复。

阶段 2：静态分析

Maven（常用插件）：

mvn -T 4 spotbugs:check pmd:check checkstyle:check

Gradle（如果已配置）：

./gradlew checkstyleMain pmdMain spotbugsMain

阶段 3：测试 + 覆盖率

mvn -T 4 test
mvn jacoco:report   # verify 80%+ coverage
# or
./gradlew test jacocoTestReport

报告：

总测试数，通过/失败
覆盖率百分比（行/分支）

单元测试

使用模拟的依赖项来隔离测试服务逻辑：

@ExtendWith(MockitoExtension.class)
class UserServiceTest {

  @Mock private UserRepository userRepository;
  @InjectMocks private UserService userService;

  @Test
  void createUser_validInput_returnsUser() {
    var dto = new CreateUserDto("Alice", "[email protected]");
    var expected = new User(1L, "Alice", "[email protected]");
    when(userRepository.save(any(User.class))).thenReturn(expected);

    var result = userService.create(dto);

    assertThat(result.name()).isEqualTo("Alice");
    verify(userRepository).save(any(User.class));
  }

  @Test
  void createUser_duplicateEmail_throwsException() {
    var dto = new CreateUserDto("Alice", "[email protected]");
    when(userRepository.existsByEmail(dto.email())).thenReturn(true);

    assertThatThrownBy(() -> userService.create(dto))
        .isInstanceOf(DuplicateEmailException.class);
  }
}

使用 Testcontainers 进行集成测试

针对真实数据库（而非 H2）进行测试：

@SpringBootTest
@Testcontainers
class UserRepositoryIntegrationTest {

  @Container
  static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:16-alpine")
      .withDatabaseName("testdb");

  @DynamicPropertySource
  static void configureProperties(DynamicPropertyRegistry registry) {
    registry.add("spring.datasource.url", postgres::getJdbcUrl);
    registry.add("spring.datasource.username", postgres::getUsername);
    registry.add("spring.datasource.password", postgres::getPassword);
  }

  @Autowired private UserRepository userRepository;

  @Test
  void findByEmail_existingUser_returnsUser() {
    userRepository.save(new User("Alice", "[email protected]"));

    var found = userRepository.findByEmail("[email protected]");

    assertThat(found).isPresent();
    assertThat(found.get().getName()).isEqualTo("Alice");
  }
}

使用 MockMvc 进行 API 测试

在完整的 Spring 上下文中测试控制器层：

@WebMvcTest(UserController.class)
class UserControllerTest {

  @Autowired private MockMvc mockMvc;
  @MockBean private UserService userService;

  @Test
  void createUser_validInput_returns201() throws Exception {
    var user = new UserDto(1L, "Alice", "[email protected]");
    when(userService.create(any())).thenReturn(user);

    mockMvc.perform(post("/api/users")
            .contentType(MediaType.APPLICATION_JSON)
            .content("""
                {"name": "Alice", "email": "[email protected]"}
                """))
        .andExpect(status().isCreated())
        .andExpect(jsonPath("$.name").value("Alice"));
  }

  @Test
  void createUser_invalidEmail_returns400() throws Exception {
    mockMvc.perform(post("/api/users")
            .contentType(MediaType.APPLICATION_JSON)
            .content("""
                {"name": "Alice", "email": "not-an-email"}
                """))
        .andExpect(status().isBadRequest());
  }
}

阶段 4：安全扫描

# Dependency CVEs
mvn org.owasp:dependency-check-maven:check
# or
./gradlew dependencyCheckAnalyze

# Secrets in source
grep -rn "password\s*=\s*\"" src/ --include="*.java" --include="*.yml" --include="*.properties"
grep -rn "sk-\|api_key\|secret" src/ --include="*.java" --include="*.yml"

# Secrets (git history)
git secrets --scan  # if configured

常见安全发现

# Check for System.out.println (use logger instead)
grep -rn "System\.out\.print" src/main/ --include="*.java"

# Check for raw exception messages in responses
grep -rn "e\.getMessage()" src/main/ --include="*.java"

# Check for wildcard CORS
grep -rn "allowedOrigins.*\*" src/main/ --include="*.java"

阶段 5：代码检查/格式化（可选关卡）

mvn spotless:apply   # if using Spotless plugin
./gradlew spotlessApply

阶段 6：差异审查

git diff --stat
git diff

检查清单：

没有遗留调试日志（System.out、log.debug 没有防护）
有意义的错误信息和 HTTP 状态码
在需要的地方有事务和验证
配置变更已记录

输出模板

VERIFICATION REPORT
===================
Build:     [PASS/FAIL]
Static:    [PASS/FAIL] (spotbugs/pmd/checkstyle)
Tests:     [PASS/FAIL] (X/Y passed, Z% coverage)
Security:  [PASS/FAIL] (CVE findings: N)
Diff:      [X files changed]

Overall:   [READY / NOT READY]

Issues to Fix:
1. ...
2. ...

持续模式

在重大变更时或长时间会话中每 30–60 分钟重新运行各阶段
保持短循环：mvn -T 4 test + spotbugs 以获取快速反馈

记住：快速反馈胜过意外惊喜。保持关卡严格——将警告视为生产系统中的缺陷。

lyxjack/springboot-verification

Tool/everything-claude-code/docs/zh-CN/skills/springboot-verification/SKILL.md

Spring Boot项目验证循环：构建、静态分析、测试覆盖、安全扫描，以及发布或PR前的差异审查。

1 stars

tools

Updated Apr 23, 2026

$ install --global

skillsauth

npx skillsauth add lyxjack/toolbox springboot-verification

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 30, 2026, 11:29 PM120.4s1 file scanned

SKILL.md

name:: springboot-verification
description:: Spring Boot项目验证循环：构建、静态分析、测试覆盖、安全扫描，以及发布或PR前的差异审查。
origin:: ECC

Spring Boot 验证循环

在提交 PR 前、重大变更后以及部署前运行。

何时激活

为 Spring Boot 服务开启拉取请求之前
在重大重构或依赖项升级之后
用于暂存或生产环境的部署前验证
运行完整的构建 → 代码检查 → 测试 → 安全扫描流水线
验证测试覆盖率是否满足阈值

阶段 1：构建

mvn -T 4 clean verify -DskipTests
# or
./gradlew clean assemble -x test

如果构建失败，停止并修复。

阶段 2：静态分析

Maven（常用插件）：

mvn -T 4 spotbugs:check pmd:check checkstyle:check

Gradle（如果已配置）：

./gradlew checkstyleMain pmdMain spotbugsMain

阶段 3：测试 + 覆盖率

mvn -T 4 test
mvn jacoco:report   # verify 80%+ coverage
# or
./gradlew test jacocoTestReport

报告：

总测试数，通过/失败
覆盖率百分比（行/分支）

单元测试

使用模拟的依赖项来隔离测试服务逻辑：

@ExtendWith(MockitoExtension.class)
class UserServiceTest {

  @Mock private UserRepository userRepository;
  @InjectMocks private UserService userService;

  @Test
  void createUser_validInput_returnsUser() {
    var dto = new CreateUserDto("Alice", "[email protected]");
    var expected = new User(1L, "Alice", "[email protected]");
    when(userRepository.save(any(User.class))).thenReturn(expected);

    var result = userService.create(dto);

    assertThat(result.name()).isEqualTo("Alice");
    verify(userRepository).save(any(User.class));
  }

  @Test
  void createUser_duplicateEmail_throwsException() {
    var dto = new CreateUserDto("Alice", "[email protected]");
    when(userRepository.existsByEmail(dto.email())).thenReturn(true);

    assertThatThrownBy(() -> userService.create(dto))
        .isInstanceOf(DuplicateEmailException.class);
  }
}

使用 Testcontainers 进行集成测试

针对真实数据库（而非 H2）进行测试：

@SpringBootTest
@Testcontainers
class UserRepositoryIntegrationTest {

  @Container
  static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:16-alpine")
      .withDatabaseName("testdb");

  @DynamicPropertySource
  static void configureProperties(DynamicPropertyRegistry registry) {
    registry.add("spring.datasource.url", postgres::getJdbcUrl);
    registry.add("spring.datasource.username", postgres::getUsername);
    registry.add("spring.datasource.password", postgres::getPassword);
  }

  @Autowired private UserRepository userRepository;

  @Test
  void findByEmail_existingUser_returnsUser() {
    userRepository.save(new User("Alice", "[email protected]"));

    var found = userRepository.findByEmail("[email protected]");

    assertThat(found).isPresent();
    assertThat(found.get().getName()).isEqualTo("Alice");
  }
}

使用 MockMvc 进行 API 测试

在完整的 Spring 上下文中测试控制器层：

@WebMvcTest(UserController.class)
class UserControllerTest {

  @Autowired private MockMvc mockMvc;
  @MockBean private UserService userService;

  @Test
  void createUser_validInput_returns201() throws Exception {
    var user = new UserDto(1L, "Alice", "[email protected]");
    when(userService.create(any())).thenReturn(user);

    mockMvc.perform(post("/api/users")
            .contentType(MediaType.APPLICATION_JSON)
            .content("""
                {"name": "Alice", "email": "[email protected]"}
                """))
        .andExpect(status().isCreated())
        .andExpect(jsonPath("$.name").value("Alice"));
  }

  @Test
  void createUser_invalidEmail_returns400() throws Exception {
    mockMvc.perform(post("/api/users")
            .contentType(MediaType.APPLICATION_JSON)
            .content("""
                {"name": "Alice", "email": "not-an-email"}
                """))
        .andExpect(status().isBadRequest());
  }
}

阶段 4：安全扫描

# Dependency CVEs
mvn org.owasp:dependency-check-maven:check
# or
./gradlew dependencyCheckAnalyze

# Secrets in source
grep -rn "password\s*=\s*\"" src/ --include="*.java" --include="*.yml" --include="*.properties"
grep -rn "sk-\|api_key\|secret" src/ --include="*.java" --include="*.yml"

# Secrets (git history)
git secrets --scan  # if configured

常见安全发现

# Check for System.out.println (use logger instead)
grep -rn "System\.out\.print" src/main/ --include="*.java"

# Check for raw exception messages in responses
grep -rn "e\.getMessage()" src/main/ --include="*.java"

# Check for wildcard CORS
grep -rn "allowedOrigins.*\*" src/main/ --include="*.java"

阶段 5：代码检查/格式化（可选关卡）

mvn spotless:apply   # if using Spotless plugin
./gradlew spotlessApply

阶段 6：差异审查

git diff --stat
git diff

检查清单：

没有遗留调试日志（System.out、log.debug 没有防护）
有意义的错误信息和 HTTP 状态码
在需要的地方有事务和验证
配置变更已记录

输出模板

VERIFICATION REPORT
===================
Build:     [PASS/FAIL]
Static:    [PASS/FAIL] (spotbugs/pmd/checkstyle)
Tests:     [PASS/FAIL] (X/Y passed, Z% coverage)
Security:  [PASS/FAIL] (CVE findings: N)
Diff:      [X files changed]

Overall:   [READY / NOT READY]

Issues to Fix:
1. ...
2. ...

持续模式

在重大变更时或长时间会话中每 30–60 分钟重新运行各阶段
保持短循环：mvn -T 4 test + spotbugs 以获取快速反馈

记住：快速反馈胜过意外惊喜。保持关卡严格——将警告视为生产系统中的缺陷。

Related Skills

lyxjack/vercel-react-native-skills

development

VerifiedTrustedCommunity

React Native and Expo best practices for building performant mobile apps. Use when building React Native components, optimizing list performance, implementing animations, or working with native modules. Triggers on tasks involving React Native, Expo, mobile performance, or native platform APIs.

1SKILL.mdUpdated Apr 24, 2026

lyxjack/vercel-react-native-skills

lyxjack/frontend-design

development

VerifiedTrustedCommunity

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, artifacts, posters, or applications (examples include websites, landing pages, dashboards, React components, HTML/CSS layouts, or when styling/beautifying any web UI). Generates creative, polished code and UI design that avoids generic AI aesthetics.

1SKILL.mdUpdated Apr 24, 2026

lyxjack/frontend-design

lyxjack/find-skills

data-ai

VerifiedTrustedCommunity

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.

1SKILL.mdUpdated Apr 24, 2026

lyxjack/x-api

development

VerifiedTrustedCommunity

X/Twitter API integration for posting tweets, threads, reading timelines, search, and analytics. Covers OAuth auth patterns, rate limits, and platform-native content posting. Use when the user wants to interact with X programmatically.

1SKILL.mdUpdated Apr 24, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/lyxjack/toolbox.git

# Copy into Claude Code skills folder (global)
cp -r toolbox/Tool/everything-claude-code/docs/zh-CN/skills/springboot-verification ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

lyxjack/toolbox

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT