nubiv/springboot-verification
nix-darwin/config/claude/skills/springboot-verification/SKILL.md
Verification loop for Spring Boot projects: build, static analysis, tests with coverage, security scans, and diff review before release or PR.
development
Updated Apr 10, 2026
$ install --global
skillsauthnpx skillsauth add nubiv/my-nome springboot-verificationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 8:15 AM36.6s1 file scanned
SKILL.md
- name:
- springboot-verification
- description:
- Verification loop for Spring Boot projects: build, static analysis, tests with coverage, security scans, and diff review before release or PR.
- origin:
- ECC
Spring Boot Verification Loop
Run before PRs, after major changes, and pre-deploy.
When to Activate
- Before opening a pull request for a Spring Boot service
- After major refactoring or dependency upgrades
- Pre-deployment verification for staging or production
- Running full build → lint → test → security scan pipeline
- Validating test coverage meets thresholds
Phase 1: Build
mvn -T 4 clean verify -DskipTests
# or
./gradlew clean assemble -x test
If build fails, stop and fix.
Phase 2: Static Analysis
Maven (common plugins):
mvn -T 4 spotbugs:check pmd:check checkstyle:check
Gradle (if configured):
./gradlew checkstyleMain pmdMain spotbugsMain
Phase 3: Tests + Coverage
mvn -T 4 test
mvn jacoco:report # verify 80%+ coverage
# or
./gradlew test jacocoTestReport
Report:
- Total tests, passed/failed
- Coverage % (lines/branches)
Unit Tests
Test service logic in isolation with mocked dependencies:
@ExtendWith(MockitoExtension.class)
class UserServiceTest {
@Mock private UserRepository userRepository;
@InjectMocks private UserService userService;
@Test
void createUser_validInput_returnsUser() {
var dto = new CreateUserDto("Alice", "[email protected]");
var expected = new User(1L, "Alice", "[email protected]");
when(userRepository.save(any(User.class))).thenReturn(expected);
var result = userService.create(dto);
assertThat(result.name()).isEqualTo("Alice");
verify(userRepository).save(any(User.class));
}
@Test
void createUser_duplicateEmail_throwsException() {
var dto = new CreateUserDto("Alice", "[email protected]");
when(userRepository.existsByEmail(dto.email())).thenReturn(true);
assertThatThrownBy(() -> userService.create(dto))
.isInstanceOf(DuplicateEmailException.class);
}
}
Integration Tests with Testcontainers
Test against a real database instead of H2:
@SpringBootTest
@Testcontainers
class UserRepositoryIntegrationTest {
@Container
static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:16-alpine")
.withDatabaseName("testdb");
@DynamicPropertySource
static void configureProperties(DynamicPropertyRegistry registry) {
registry.add("spring.datasource.url", postgres::getJdbcUrl);
registry.add("spring.datasource.username", postgres::getUsername);
registry.add("spring.datasource.password", postgres::getPassword);
}
@Autowired private UserRepository userRepository;
@Test
void findByEmail_existingUser_returnsUser() {
userRepository.save(new User("Alice", "[email protected]"));
var found = userRepository.findByEmail("[email protected]");
assertThat(found).isPresent();
assertThat(found.get().getName()).isEqualTo("Alice");
}
}
API Tests with MockMvc
Test controller layer with full Spring context:
@WebMvcTest(UserController.class)
class UserControllerTest {
@Autowired private MockMvc mockMvc;
@MockBean private UserService userService;
@Test
void createUser_validInput_returns201() throws Exception {
var user = new UserDto(1L, "Alice", "[email protected]");
when(userService.create(any())).thenReturn(user);
mockMvc.perform(post("/api/users")
.contentType(MediaType.APPLICATION_JSON)
.content("""
{"name": "Alice", "email": "[email protected]"}
"""))
.andExpect(status().isCreated())
.andExpect(jsonPath("$.name").value("Alice"));
}
@Test
void createUser_invalidEmail_returns400() throws Exception {
mockMvc.perform(post("/api/users")
.contentType(MediaType.APPLICATION_JSON)
.content("""
{"name": "Alice", "email": "not-an-email"}
"""))
.andExpect(status().isBadRequest());
}
}
Phase 4: Security Scan
# Dependency CVEs
mvn org.owasp:dependency-check-maven:check
# or
./gradlew dependencyCheckAnalyze
# Secrets in source
grep -rn "password\s*=\s*\"" src/ --include="*.java" --include="*.yml" --include="*.properties"
grep -rn "sk-\|api_key\|secret" src/ --include="*.java" --include="*.yml"
# Secrets (git history)
git secrets --scan # if configured
Common Security Findings
# Check for System.out.println (use logger instead)
grep -rn "System\.out\.print" src/main/ --include="*.java"
# Check for raw exception messages in responses
grep -rn "e\.getMessage()" src/main/ --include="*.java"
# Check for wildcard CORS
grep -rn "allowedOrigins.*\*" src/main/ --include="*.java"
Phase 5: Lint/Format (optional gate)
mvn spotless:apply # if using Spotless plugin
./gradlew spotlessApply
Phase 6: Diff Review
git diff --stat
git diff
Checklist:
- No debugging logs left (
System.out,log.debugwithout guards) - Meaningful errors and HTTP statuses
- Transactions and validation present where needed
- Config changes documented
Output Template
VERIFICATION REPORT
===================
Build: [PASS/FAIL]
Static: [PASS/FAIL] (spotbugs/pmd/checkstyle)
Tests: [PASS/FAIL] (X/Y passed, Z% coverage)
Security: [PASS/FAIL] (CVE findings: N)
Diff: [X files changed]
Overall: [READY / NOT READY]
Issues to Fix:
1. ...
2. ...
Continuous Mode
- Re-run phases on significant changes or every 30–60 minutes in long sessions
- Keep a short loop:
mvn -T 4 test+ spotbugs for quick feedback
Remember: Fast feedback beats late surprises. Keep the gate strict—treat warnings as defects in production systems.
Related Skills
nubiv/devlog
development
VerifiedTrustedCommunity
Manage devlogs (session journal entries) under the active repo's `.claude/devlogs/`. Subcommands - `write` creates a new date-stamped entry, `read` loads existing entries into context. Use when the user invokes `/devlog <subcommand>` or asks to write, save, recall, or load today's/recent devlogs.
SKILL.mdUpdated May 23, 2026
nubiv/wiki
development
VerifiedTrustedCommunity
Run MY_WIKI operations (ingest, query, research, lint). Use when the user wants to add sources to the wiki, ask questions against it, research new topics from the web, or audit its quality.
SKILL.mdUpdated Apr 27, 2026
nubiv/obsidian-markdown
testing
VerifiedTrustedCommunity
Create and edit Obsidian Flavored Markdown with wikilinks, embeds, callouts, properties, and other Obsidian-specific syntax. Use when working with .md files in Obsidian, or when the user mentions wikilinks, callouts, frontmatter, tags, embeds, or Obsidian notes.
SKILL.mdUpdated Apr 27, 2026
nubiv/obsidian-cli
tools
VerifiedTrustedCommunity
Interact with Obsidian vaults using the Obsidian CLI to read, create, search, and manage notes, tasks, properties, and more. Also supports plugin and theme development with commands to reload plugins, run JavaScript, capture errors, take screenshots, and inspect the DOM. Use when the user asks to interact with their Obsidian vault, manage notes, search vault content, perform vault operations from the command line, or develop and debug Obsidian plugins and themes.
SKILL.mdUpdated Apr 27, 2026