Fetch and triage SonarQube issues and measures for conservative remediation work by delegating Sonar data gathering to subagents. Use when you need SonarQube Server data such as bugs, code smells, duplicated lines, or quality gate status.
Use this skill when SonarQube should be the source of findings for conservative code cleanup.
This skill is orchestration-first: keep the main agent focused on the user's repo context, implementation history, and final decision-making. Offload Sonar fetches, broad issue listing, and heavy triage passes to subagents so the main context stays intact.
Capture the Sonar scope up front.
Gather the project-key, optional branch or pull-request, any explicit issue keys, and the local verification commands you expect to run later.
Spawn subagents for Sonar data collection instead of doing that work in the main thread.
Prefer narrow execution-oriented subagents such as a task agent when available. Launch independent subagents in parallel when possible:
sonar_fetch_summary.pysonar_fetch_issues.pyGive each subagent a narrow contract.
Every Sonar subagent prompt should include:
Reconcile the results in the main agent.
Treat SonarQube as the source of findings. Deduplicate, rank, and narrow the candidate fixes in the main context before any code changes begin.
Only then choose the remediation path.
See subagent-workflow.md for concrete prompt templates.
.env files, and machine-local MCP config out of commits.| Need | Recommended subagent role | Return to main agent with |
|---|---|---|
| Quality gate and summary metrics | Execution/task subagent | Compact JSON plus notable risk flags |
| Narrow issue list for a project, branch, or issue key set | Execution/task subagent | Filtered findings with rule, severity, location, and issue key |
| Duplication overview and per-file block details | Execution/task subagent | Overview JSON with removal target, per-file duplication blocks, and peer components |
| Map Sonar paths or rules to local code patterns | Explore subagent | Relevant files, abstractions, and risk notes |
| Architectural recommendation for duplication consolidation | Oracle subagent | Primary recommendation, effort estimate, trade-off analysis, risk flags |
| Implement a nontrivial conservative fix | Code-changing subagent | Patch summary, verification steps, and residual risks |
Launch these in parallel when their inputs do not depend on each other.
python3.py -3; use python only if py is unavailable.SONARQUBE_URLSONARQUBE_TOKENUse these as the exact helper commands passed to the Sonar data-collection subagents.
Project summary:
python3 .config/shared/skills/sonarqube-remediation/scripts/sonar_fetch_summary.py --project-key <project-key>
py -3 .config/shared/skills/sonarqube-remediation/scripts/sonar_fetch_summary.py --project-key <project-key>
Open issues:
python3 .config/shared/skills/sonarqube-remediation/scripts/sonar_fetch_issues.py --project-key <project-key> --types BUG,CODE_SMELL --statuses OPEN,CONFIRMED --max-pages 2
py -3 .config/shared/skills/sonarqube-remediation/scripts/sonar_fetch_issues.py --project-key <project-key> --types BUG,CODE_SMELL --statuses OPEN,CONFIRMED --max-pages 2
Duplication details:
python3 .config/shared/skills/sonarqube-remediation/scripts/sonar_fetch_duplications.py --project-key <project-key> --max-files 10 --buffer-percent 20
py -3 .config/shared/skills/sonarqube-remediation/scripts/sonar_fetch_duplications.py --project-key <project-key> --max-files 10 --buffer-percent 20
If the helper output disagrees with the UI or a manual request, compare against this raw API form:
curl -s -u "$SONARQUBE_TOKEN:" "$SONARQUBE_URL/api/issues/search?componentKeys=<project-key>&types=BUG,CODE_SMELL&statuses=OPEN,CONFIRMED&ps=100"
Use this workflow when the goal is to reduce duplicated lines in a project.
Gather duplication data.
Spawn an execution-oriented subagent to run sonar_fetch_duplications.py. The script returns:
Check the removal target.
The script calculates an effective_lines_to_remove that includes a configurable buffer (default 20%).
The buffer accounts for refactoring that may introduce some new duplication while removing more (e.g., extracting a shared utility might itself appear as a small duplication block).
For each file, check the local codebase.
Spawn an explore subagent to:
Get an architectural recommendation from the oracle.
When no existing shared solution is found, spawn an oracle subagent with the duplication
context (file pairs, line ranges, code snippets, module boundaries). The oracle will:
The oracle is read-only and zero-shot — give it complete context in a single prompt. Its recommendation is advisory; the user makes the final decision.
Present the plan to the user.
For each duplication group, present:
The agent must not choose a consolidation approach without user approval.
Implement file by file, starting with the file that has the most duplicated lines. After each file:
SonarQube MCP server: useful for richer agent workflows, but optional here because MCP is global, not per skill.sonar CLI: useful if installed locally, but not the required contract for this skill.sonar-scanner: optional for CI-managed analysis, not required for this skill's local workflow.| Task | Files |
|---|---|
| Validate auth or shell setup | references/auth-and-setup.md |
| Choose API filters or inspect helper output | references/api-usage.md |
| Decide whether a fix is safe to automate | references/remediation-policy.md |
| Set up optional MCP integration | references/mcp-optional-setup.md |
| Write subagent prompts or split work | references/subagent-workflow.md |
| File | Purpose |
|---|---|
| auth-and-setup.md | Environment variables, auth model, and safe local setup |
| api-usage.md | Helper commands, filters, polling, duplication endpoints, and output contract |
| remediation-policy.md | Conservative fix boundaries, duplication consolidation, and do-not-auto-fix guidance |
| mcp-optional-setup.md | Optional Sonar MCP setup notes |
| subagent-workflow.md | Prompt templates and role split for preserving main-agent context |