askill
sonarqube

sonarqubeSafety 75Repository

Access SonarQube or SonarCloud issues and quality gate data via API using tokens. Use when fetching PR/branch issue lists, leak-period problems, or quality gate status for a project.

sonarqubehansjm10
0 stars
1.2k downloads
Updated 2/20/2026

Package Files

Loading files...
SKILL.md

SonarQube Access

Token setup

  • Prefer SONAR_TOKEN in the environment.
  • Optional fallback: a local file like .env.sonarcloud containing SONAR_TOKEN=... (do not commit; add to .gitignore).
  • Optional host override: SONAR_HOST_URL (default https://sonarcloud.io).

Example env file:

SONAR_TOKEN=your_token_here

Load from file when needed:

SONAR_TOKEN=$(sed -n 's/^SONAR_TOKEN=//p' .env.sonarcloud)

Auth and base URL

  • SonarCloud recommends bearer auth; basic auth with an empty password also works.
  • Base URL defaults to SonarCloud: SONAR_HOST_URL=${SONAR_HOST_URL:-https://sonarcloud.io}.

Bearer auth:

curl -sSf -H "Authorization: Bearer $SONAR_TOKEN" \
  "$SONAR_HOST_URL/api/authentication/validate"

Basic auth:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/authentication/validate"

Common API calls

Issues for a PR (SonarCloud):

SONAR_HOST_URL=${SONAR_HOST_URL:-https://sonarcloud.io}
curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&pullRequest=<pr>&statuses=OPEN,CONFIRMED"

If the API returns 400, retry without statuses and ensure the organization parameter is set:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&pullRequest=<pr>"

Issues for a branch:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&branch=<branch>&statuses=OPEN,CONFIRMED"

Leak-period filter (may require a component key; remove if it 400s):

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&componentKeys=<componentKey>&sinceLeakPeriod=true"

Quality gate status:

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/qualitygates/project_status?organization=<org>&projectKey=<projectKey>&pullRequest=<pr>"

Issue details (SonarCloud may 404 on issues/show; use search by issue key):

curl -sSf -u "$SONAR_TOKEN:" \
  "$SONAR_HOST_URL/api/issues/search?organization=<org>&projectKeys=<projectKey>&issues=<issueKey>"

Mapping issues to files

  • component fields are typically org_projectKey:path/to/file.
  • Strip the project prefix to map to local paths, then jump to line.

Quick jq view:

jq -r '.issues[] | {key,rule,severity,type,component,line,message} | @json'

Troubleshooting

  • 401/403: token missing or insufficient permissions (needs Browse access to the project/org).
  • 400: remove optional query params or confirm organization and projectKeys values; sinceLeakPeriod can require componentKeys.
  • Empty results: ensure the PR/branch has a completed Sonar analysis run.

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

84/100Analyzed 3/9/2026

Well-structured technical reference skill for accessing SonarQube/SonarCloud APIs. Covers token setup, authentication (bearer and basic), and provides concrete curl examples for common tasks (PR/branch issues, leak period, quality gates). Includes troubleshooting guidance and file mapping tips. The when-to-use description and tags improve discoverability. Could improve safety section with stronger token handling warnings. Overall highly actionable and reusable."

75
90
80
85
85

Metadata

Licenseunknown
Version-
Updated2/20/2026
Publisherhansjm10

Tags

apisecurity