Systematically analyze and fix SonarQube code quality issues. Categorizes issues by type (Python constructors, duplicated strings, shell script best practices), performs pre-flight safety checks, asks clarifying questions about TODOs and commit strategy, fixes issues methodically with edit safety validation, shows change verification before committing, and provides error recovery options. Use when working with SonarQube reports, code quality issues, static analysis results, or when you have SonarQube JSON output to process.
Automate fixing SonarQube code quality issues with comprehensive safety checks and error recovery.
Accept SonarQube issue data in one of two formats:
Option 1: JSON File Path
Option 2: Pasted JSON
JSON Structure Validation:
{
"total": number,
"issues": [
{
"key": "issue-id",
"rule": "rule-id",
"severity": "MINOR|MAJOR|CRITICAL|INFO",
"component": "file-path",
"line": number,
"message": "description"
}
],
"components": [...]
}
Validation Requirements:
issues array existscomponents array existsHandle Empty Issues:
issues array is empty or total is 0:
Group issues by:
Display summary:
SonarQube Issues Summary
========================
Total Issues: 18
By Severity:
CRITICAL: 1
MAJOR: 7
MINOR: 6
INFO: 2
By Language:
Python: 8 issues (3 files)
Shell: 8 issues (2 files)
YAML: 2 issues (2 files)
By Rule:
S7498 (Python constructor calls): 6 issues
S1192 (Duplicated literals): 2 issues
S7677 (Shell stderr): 4 issues
S7688 (Shell [[ vs [): 4 issues
S1135 (TODO comments): 2 issues
CRITICAL: Perform ALL safety checks before proceeding with any fixes.
git rev-parse --is-inside-work-tree
git status --porcelain
Parse output:
⚠️ WARNING: You have uncommitted changes:
[show git status output]
This skill will make additional changes. Consider:
1. Commit or stash your current changes first
2. Continue anyway (changes will be mixed)
Continue? (yes/no)
For EACH file referenced in SonarQube issues:
Read File (REQUIRED):
Read tool with file_path
After checking all files:
ERROR: Cannot proceed - some files are missing or unreadable:
Missing files:
- path/to/file1.py
- path/to/file2.sh
Permission denied:
- path/to/file3.yml
These files were referenced in the SonarQube report but cannot be accessed.
Possible reasons:
- Files were deleted after scan
- Files were moved/renamed
- Insufficient permissions
Please update your codebase or re-run SonarQube scan.
For each file path:
.. (parent directory escape)If ANY file fails boundary check:
Pre-Flight Success: If all checks pass, display:
✓ Pre-flight checks passed
- Git repository: ✓
- All files accessible: ✓ (N files)
- File permissions: ✓
- Security boundaries: ✓
Display comprehensive summary BEFORE making any changes:
╔════════════════════════════════════════════════════════════╗
║ Fix Summary ║
╚════════════════════════════════════════════════════════════╝
Files to modify: 5
Total issues to fix: 16
Breakdown by file:
┌─────────────────────────────────────────────┬────────┐
│ File │ Issues │
├─────────────────────────────────────────────┼────────┤
│ ansible/action_plugins/prompt.py │ 3 │
│ ansible/library/prompt.py │ 3 │
│ ansible/callback_plugins/wizard_minimal.py │ 2 │
│ ansible/scripts/bootstrap_controller.sh │ 2 │
│ ansible/scripts/run_preflight.sh │ 6 │
└─────────────────────────────────────────────┴────────┘
Issue types:
• Python S7498 (dict() → literal): 6 fixes
• Python S1192 (extract constant): 1 fix
• Shell S7677 (stderr redirect): 4 fixes
• Shell S7688 ([ → [[): 4 fixes
• Shell S1192 (extract constant): 1 fix
Estimated changes: ~35 lines across 5 files
Proceed with fixes? (yes/no)
If user says no: EXIT If user says yes: Continue to step 5
High File Count Warning: If modifying 10+ files, add additional warning:
⚠️ WARNING: This will modify 15 files. This is a large change set.
Consider reviewing issues in smaller batches.
Continue anyway? (yes/no)
CRITICAL: NEVER auto-remove or auto-fix TODO comments without explicit user approval.
For EACH file with TODO issues (S1135):
Display the TODO context:
TODO found in [file]:[line]
Context:
[show 3 lines before]
→ [show TODO line]
[show 3 lines after]
How should this TODO be handled?
1. Keep TODO (ignore this issue)
- Leaves code as-is
- Will not fix this issue
2. Remove TODO (implement or resolve it)
- I will help implement or clean up
- Fixes the SonarQube issue
3. Convert to GitHub issue
- Creates a GitHub issue with context
- Removes TODO from code with reference
- Fixes the SonarQube issue
Your choice (1/2/3):
Store decision for each TODO:
Skip List: If user chooses "Keep" for any TODO, maintain a skip list:
Skipped issues (user requested to keep):
- [file]:[line] - TODO about Azure SSO
- [file]:[line] - TODO about feature flag
Ask once for all fixes:
How should these fixes be committed?
1. Single commit (recommended)
- All fixes in one commit: "fix: address SonarQube issues"
- Faster, simpler
- Better for atomic changes
2. Multiple commits by language
- Separate commits: Python fixes, Shell fixes, etc.
- Better git history granularity
- More commits to track
Your choice (1/2):
Store decision for commit step.
CRITICAL: This step includes Guardrails #4 (Edit Safety) and #8 (Error Recovery)
Initialize tracking:
- Fixed files: [] (empty list)
- Failed files: [] (empty list)
- Syntax errors: [] (empty list)
Order of fixes:
For EACH file being edited:
Before Edit:
Verify File Read (REQUIRED):
Line Number Verification:
⚠️ WARNING: File may have changed since SonarQube scan
File: [path]
Line: [line number]
Expected (from SonarQube):
[expected content]
Actual (current file):
[actual content]
The file may have been modified after the scan.
Continue with this fix? (yes/no/show-diff)
During Edit: 3. Use Edit tool with exact old_string and new_string 4. Verify edit succeeded (no error from Edit tool)
After Edit: 5. Syntax Validation (CRITICAL):
For Python files:
python3 -m py_compile [file]
For Shell scripts:
bash -n [file]
If syntax validation fails:
{file: path, issues_fixed: count}Trigger on ANY of:
Immediate Actions:
STOP IMMEDIATELY - do not attempt to fix more files
Record the error details
Show current state:
╔════════════════════════════════════════════════════════════╗
║ ERROR OCCURRED ║
╚════════════════════════════════════════════════════════════╝
Error: [error message]
Progress before error:
✓ Successfully fixed: [count] files
- file1.py (3 issues)
- file2.sh (2 issues)
✗ Failed at: [current file]
Error: [specific error]
⧗ Not attempted: [count] files remaining
Repository Status:
- Modified files: [count]
- All changes are uncommitted
Offer Recovery Options:
How would you like to proceed?
1. Revert ALL changes (git reset --hard)
- Returns to clean state
- Loses all fixes made so far
- Safest option
2. Keep changes and fix manually
- Keeps successful fixes
- You manually fix the error
- Can commit partial progress
3. Show me the specific error details
- Display full error output
- Show file diff for failed file
- Then return to this menu
Your choice (1/2/3):
Execute User Choice:
Choice 1 - Revert:
git reset --hard HEAD
git clean -fd
Choice 2 - Keep:
Changes kept. To review:
git status
git diff
To commit partial progress:
git add [files]
git commit -m "fix: partial SonarQube fixes"
To revert later:
git reset --hard HEAD
Choice 3 - Show Details:
git diff [failed-file]Never Continue After Error:
After ALL files processed successfully (no errors):
✓ All fixes completed successfully
Summary:
Files modified: [count]
Issues fixed: [count]
Syntax validation: ✓ All passed
Proceed to step 7 (Change Verification).
Display comprehensive diff summary before commit:
git diff --stat
Display:
╔════════════════════════════════════════════════════════════╗
║ Change Verification ║
╚════════════════════════════════════════════════════════════╝
Modified Files:
ansible/action_plugins/prompt.py | 6 +--
ansible/callback_plugins/wizard_minimal.py| 4 +-
ansible/library/prompt.py | 6 +--
ansible/scripts/bootstrap_controller.sh | 4 +-
ansible/scripts/run_preflight.sh | 12 ++--
5 files changed, 18 insertions(+), 14 deletions(-)
For each file:
git diff [file] --numstat
Display:
File: ansible/action_plugins/prompt.py
Lines changed: +3, -3
Issues fixed:
• S7498: Replaced dict() with {} (lines 20, 35, 42)
Scan diffs for risky patterns:
except blocksif/elif conditionsreturn statementsauth, password, token, secretIf risky changes detected:
⚠️ ATTENTION: Some changes may need careful review:
ansible/callback_plugins/wizard_minimal.py:54
Changed error message handling
- Old: inline string 'ERROR: %s'
+ New: class constant ERROR_FORMAT
ansible/scripts/run_preflight.sh:68
Changed error output redirection
+ Added: >&2 (redirect to stderr)
These changes look safe but verify they don't affect:
- Error handling behavior
- Logging/monitoring integrations
- Downstream error consumers
Review changes above. Do you want to:
1. View full diff (git diff)
2. View specific file diff
3. Proceed to commit
4. Cancel (revert all changes)
Your choice (1/2/3/4):
Execute Choice:
git diff, display output, return to menugit diff [file], return to menugit reset --hard, display "Changes reverted", EXITBuild conventional commit message: