Sonarqube Analyzer

v0.1.2

Analisa projetos SonarQube self-hosted, obtém issues filtradas, verifica Quality Gate e sugere soluções automatizadas com opção de auto-fix.

⭐ 1· 1.4k·1 current·1 all-time

byFelipe Oliveira@felipeoff

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The package implements a SonarQube API client, rule database, analyzer, and reporters that align with a SonarQube Analyzer skill. Required network access (SONAR_HOST_URL) and authentication (SONAR_TOKEN) are appropriate for the stated purpose. There is consistency between openclaw.plugin.json, package.json, and the source code regarding the tool names and capabilities.

ℹ

Instruction Scope

SKILL.md instructs the agent to use SONAR_HOST_URL and SONAR_TOKEN and to run the included CLI. Most instructions are scoped to SonarQube. Notable issues: SKILL.md references scripts/report.js and scripts/quality-gate.js which are not present in the file manifest (the implementation exposes reporting and quality-gate behavior via src/reporter.js and scripts/analyze.js). The README suggests reloading OpenClaw with a pkill command (pkill -USR1 -f "openclaw gateway") — this is a system-level command that affects processes and should be run with care. A GitHub Actions example uses a --suggest-fixes flag not present in the CLI implementation. These are documentation mismatches rather than malicious behavior, but they could cause surprising outcomes if followed blindly.

✓

Install Mechanism

There is no remote download/install specification in the registry; sources are bundled in the skill. The README suggests installing via npm (npm install -g @felipeoff/sonarqube-analyzer) or cloning the repo — both are standard. package.json declares no runtime dependencies and devDependencies are test/lint tools. No suspicious external URLs, shorteners, or archive extraction steps were observed in the package contents.

ℹ

Credentials

The skill uses SONAR_HOST_URL and SONAR_TOKEN (documented in SKILL.md and present in openclaw.plugin.json config). Those credentials are proportionate to SonarQube access. One inconsistency: the registry's top-level 'requirements' lists no required env vars, but the skill actually expects a Sonar host and token. The code defaults SONAR_TOKEN to 'admin' and will omit Authorization header if the token equals the default 'admin' value — this is an odd default behavior and using a real token is recommended. Do not supply unrelated credentials; the skill does not request any other secrets.

✓

Persistence & Privilege

The skill is not always-enabled and is user-invocable; it does not request elevated platform privileges. It does not modify other skills' configuration. The only potentially impactful instruction is the suggested pkill to reload OpenClaw, which affects a running process but is a user-level operation and not inherent to the skill's code.

Assessment

This skill appears to implement what it claims: a SonarQube analyzer that fetches issues and suggests fixes. Before installing or providing credentials, do the following: 1) Verify the skill's source (the README points to a GitHub repo — confirm you trust that repository and author). 2) Do not hand a high-privilege token to the skill without review; use a Sonar token with least privilege needed and avoid using 'admin'. 3) Be aware SKILL.md/README contain small inconsistencies (missing scripts referenced, a GitHub Actions flag not implemented, and a pkill command to reload OpenClaw). Prefer running it in an isolated/CI environment first to validate behavior. 4) Inspect or run the included code locally (it uses only the SonarQube API) and confirm it points to the intended SONAR_HOST_URL. 5) If you plan to let the agent invoke the skill autonomously, restrict the Sonar token's scope and monitor access logs. If you want, I can highlight the exact lines where environment defaults and the pkill instruction appear, or check the remote GitHub repo referenced in the manifest for provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97658byyfz0w7db6q51yy1pxn80whr0

1.4kdownloads

1stars

3versions

Updated 1mo ago

v0.1.2

MIT-0

SonarQube Analyzer Skill

Analisa projetos no SonarQube self-hosted, obtém issues e sugere soluções automatizadas.

Ferramentas Registradas

`sonar_get_issues`

Obtém lista de issues de um projeto/PR no SonarQube.

Parâmetros:

projectKey (string, obrigatório): Chave do projeto
pullRequest (string, opcional): Número da PR para análise específica
severities (string[], opcional): Severidades a filtrar (BLOCKER, CRITICAL, MAJOR, MINOR, INFO)
status (string, opcional): Status das issues (OPEN, CONFIRMED, FALSE_POSITIVE, etc.)
limit (number, opcional): Limite de issues (padrão: 100)

Exemplo:

{
  "projectKey": "openclaw-panel",
  "pullRequest": "5",
  "severities": ["CRITICAL", "MAJOR"],
  "limit": 50
}

`sonar_analyze_and_suggest`

Analisa issues e sugere soluções com base nas regras do SonarQube.

Parâmetros:

projectKey (string, obrigatório): Chave do projeto
pullRequest (string, opcional): Número da PR
autoFix (boolean, opcional): Tentar aplicar correções automáticas (padrão: false)

Exemplo:

{
  "projectKey": "openclaw-panel",
  "pullRequest": "5",
  "autoFix": false
}

`sonar_quality_gate`

Verifica o status do Quality Gate de um projeto.

Parâmetros:

projectKey (string, obrigatório): Chave do projeto
pullRequest (string, opcional): Número da PR

Exemplo:

{
  "projectKey": "openclaw-panel",
  "pullRequest": "5"
}

Configuração

O skill usa as seguintes configurações do ambiente:

SONAR_HOST_URL=http://127.0.0.1:9000  # URL do SonarQube
SONAR_TOKEN=admin                      # Token de autenticação

Uso

Analisar uma PR específica:

node scripts/analyze.js --project=my-project --pr=5

Gerar relatório de issues:

node scripts/report.js --project=my-project --format=markdown

Verificar Quality Gate:

node scripts/quality-gate.js --project=my-project --pr=5

Estrutura de Resposta

sonar_get_issues

{
  "total": 12,
  "issues": [
    {
      "key": "...",
      "severity": "MAJOR",
      "component": "apps/web/src/ui/App.tsx",
      "line": 346,
      "message": "Extract this nested ternary...",
      "rule": "typescript:S3358",
      "status": "OPEN",
      "solution": "Extract nested ternary into a separate function..."
    }
  ],
  "summary": {
    "BLOCKER": 0,
    "CRITICAL": 0,
    "MAJOR": 2,
    "MINOR": 10,
    "INFO": 0
  }
}

sonar_analyze_and_suggest

{
  "projectKey": "openclaw-panel",
  "analysis": {
    "totalIssues": 12,
    "fixableAutomatically": 8,
    "requiresManualFix": 4
  },
  "suggestions": [
    {
      "file": "apps/web/src/ui/App.tsx",
      "line": 346,
      "issue": "Nested ternary operation",
      "suggestion": "Extract into independent component",
      "codeExample": "...",
      "autoFixable": false
    }
  ],
  "nextSteps": [
    "Run lint:fix for auto-fixable issues",
    "Refactor nested ternaries in App.tsx",
    "Replace || with ?? operators"
  ]
}

Soluções Automáticas Disponíveis

Regra	Problema	Solução Automática
S6606	Use `\|\|` instead of `??`	✅ Substituir por `??`
S3358	Nested ternary	❌ Requer refatoração manual
S6749	Redundant fragment	✅ Remover fragment
S6759	Non-readonly props	✅ Adicionar `readonly`
S3776	Cognitive complexity	❌ Requer extração de componentes
S6571	`any` in union type	✅ Remover redundância

Requisitos

Node.js 18+
Acesso ao SonarQube (localhost:9000)
Token de autenticação configurado

Integração com Workflows

Exemplo de uso em GitHub Actions:

- name: Analyze with SonarQube Skill
  run: |
    npm install -g @felipeoff/sonarqube-analyzer
    sonarqube-analyzer \
      --project=my-project \
      --pr=${{ github.event.pull_request.number }} \
      --suggest-fixes

Comments

Loading comments...