Sonar Findings Management

Overview

Use this skill when a user asks to inspect or manage SonarCloud findings, including:

open issues
issue comments, assignment, tags, and activity
false positives
won't-fix dispositions
resolved issues
security hotspots
hotspot details and review activity
measures and metric history
Compute Engine task metadata and recent analysis history
quality gate status and project gate association
quality profile inspection and project association
project settings
project tags
generic project-level Sonar API calls
noisy Sonar findings from repo tooling
Sonar triage across different repositories

The bundled helper is repository-agnostic:

point --repo at any local checkout
let it auto-read sonar.projectKey and sonar.host.url from sonar-project.properties when available
let it auto-read sonar.organization when available
or pass --project-key and --base-url explicitly
authenticate via environment variable instead of putting a token on the command line
use --auth-scheme auto by default to try Bearer first and fall back to Basic for older endpoints

Compatibility

Requires Python 3 and a Sonar token supplied through an environment variable such as SONAR_TOKEN. Supports project-level SonarCloud and SonarQube API workflows, with a raw API fallback for anything not wrapped yet.

Invocation hints

Use repo when the target is a local checkout, defaulting to .. Use optional project_key, organization, and token_env values when auto-detection is not enough. Common commands include summary, list-issues, issue-changelog, list-hotspots, measures, quality-gate-status, settings-values, search-project-tags, and api-call.

Security model

Do not paste Sonar tokens into command arguments.

Preferred pattern:

$env:SONAR_TOKEN = Get-Secret SONAR_TOKEN_TYPEFEST -AsPlainText

If a repository uses a different environment variable name, either export that variable first or pass the variable name with --token-env.

Examples:

python "<path-to-skill>/scripts/manage_sonar_findings.py" summary --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" summary --repo "." --token-env SONAR_TOKEN_TYPEFEST

Inputs

repo: path inside the target repository (default .)
project_key: optional explicit Sonar project key
organization: optional explicit Sonar organization key
base_url: optional explicit Sonar base URL
token_env: optional environment variable name containing the token; repeatable for fallbacks
auth_scheme: optional auto, bearer, or basic
json: optional machine-readable output flag

Quick start

1. Inspect the current Sonar state

python "<path-to-skill>/scripts/manage_sonar_findings.py" summary --repo "."

2. List open issues

python "<path-to-skill>/scripts/manage_sonar_findings.py" list-issues --repo "." --issue-statuses OPEN,CONFIRMED,REOPENED

3. View issue activity, comment, assign, or retag

python "<path-to-skill>/scripts/manage_sonar_findings.py" issue-changelog --repo "." --issue AZ123
python "<path-to-skill>/scripts/manage_sonar_findings.py" comment-issue --repo "." --issue AZ123 --text "Reviewed during release hardening."
python "<path-to-skill>/scripts/manage_sonar_findings.py" assign-issue --repo "." --issue AZ123 --assignee "Nick2bad4u@github"
python "<path-to-skill>/scripts/manage_sonar_findings.py" set-issue-tags --repo "." --issue AZ123 --tag security --tag workflow

4. List hotspots awaiting review

python "<path-to-skill>/scripts/manage_sonar_findings.py" list-hotspots --repo "." --hotspot-status TO_REVIEW --include-details

5. Show one hotspot with its detail/activity fields

python "<path-to-skill>/scripts/manage_sonar_findings.py" show-hotspot --repo "." --hotspot AZ999

6. Resolve one or more issues

python "<path-to-skill>/scripts/manage_sonar_findings.py" transition-issue --repo "." --issue AZ123 --transition resolve --comment "Fixed in code."

7. Mark an issue as false positive or won't fix

python "<path-to-skill>/scripts/manage_sonar_findings.py" transition-issue --repo "." --issue AZ123 --transition falsepositive --comment "Repo-local tooling pattern; not a real defect here."
python "<path-to-skill>/scripts/manage_sonar_findings.py" transition-issue --repo "." --issue AZ123 --transition wontfix --comment "Accepted technical debt."

8. Review one or more security hotspots

python "<path-to-skill>/scripts/manage_sonar_findings.py" review-hotspot --repo "." --hotspot AZ999 --status REVIEWED --resolution SAFE --comment "Reviewed as safe in this context."
python "<path-to-skill>/scripts/manage_sonar_findings.py" review-hotspot --repo "." --hotspot AZ999 --status REVIEWED --resolution FIXED --comment "Fixed in code."

9. View measures and metric history

python "<path-to-skill>/scripts/manage_sonar_findings.py" measures --repo "." --metric alert_status --metric coverage
python "<path-to-skill>/scripts/manage_sonar_findings.py" measures-history --repo "." --metric coverage --from-date 2026-03-01

10. Inspect or adjust quality gates and quality profiles

python "<path-to-skill>/scripts/manage_sonar_findings.py" quality-gate-status --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" list-quality-gates --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" get-quality-gate --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" set-quality-gate --repo "." --gate-name "Sonar way" --dry-run

python "<path-to-skill>/scripts/manage_sonar_findings.py" list-quality-profiles --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" quality-profile-changelog --repo "." --quality-profile <profile-key>
python "<path-to-skill>/scripts/manage_sonar_findings.py" set-quality-profile --repo "." --quality-profile <profile-key> --dry-run

10.5 Investigate the common TypeScript tsconfig warning

python "<path-to-skill>/scripts/manage_sonar_findings.py" ce-component --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" project-analyses --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" tsconfig-warning-check --repo "." --json

Use this when you need to answer questions like:

what was the latest analysis task id?
did Sonar report analysis warnings on the latest task?
is Sonar still likely discovering a docs-workspace tsconfig?
should sonar.typescript.tsconfigPaths be narrowed to root configs only?

11. Inspect or adjust project settings and tags

python "<path-to-skill>/scripts/manage_sonar_findings.py" settings-values --repo "." --key sonar.typescript.tsconfigPaths
python "<path-to-skill>/scripts/manage_sonar_findings.py" settings-definitions --repo "." --key sonar.typescript.tsconfigPaths
python "<path-to-skill>/scripts/manage_sonar_findings.py" settings-set --repo "." --key sonar.typescript.tsconfigPaths --value tsconfig.json --dry-run
python "<path-to-skill>/scripts/manage_sonar_findings.py" settings-reset --repo "." --key sonar.typescript.tsconfigPaths --dry-run

python "<path-to-skill>/scripts/manage_sonar_findings.py" search-project-tags --repo "."
python "<path-to-skill>/scripts/manage_sonar_findings.py" set-project-tags --repo "." --tag quality --tag typescript --dry-run

12. Dry-run a mutation before applying it

python "<path-to-skill>/scripts/manage_sonar_findings.py" transition-issue --repo "." --issue AZ123 --transition resolve --comment "Fixed in code." --dry-run

13. Use the raw API fallback for anything not wrapped yet

python "<path-to-skill>/scripts/manage_sonar_findings.py" api-call --repo "." --endpoint /api/issues/search --query-param componentKeys=MyOrg_MyProject --query-param ps=1
python "<path-to-skill>/scripts/manage_sonar_findings.py" api-call --base-url https://api.sonarcloud.io --endpoint /quality-gates --method GET

Workflow

Resolve authentication securely.
- Prefer an environment variable like SONAR_TOKEN.
- If needed, load it from a secret manager into an environment variable first.
- Never print the token in logs or chat output.
Resolve the target project.
- Prefer --repo and auto-detection from sonar-project.properties.
- Fall back to explicit --project-key when the repo does not define one.
Inspect current findings.
- Run summary first.
- Use list-issues, issue-changelog, list-hotspots, and show-hotspot when you need fuller detail.
- Use ce-component, project-analyses, and tsconfig-warning-check when the problem smells like stale analysis metadata or TypeScript program discovery.
Classify findings.
- Fix real defects in code or workflow/config when appropriate.
- Use falsepositive or wontfix only when you have clear justification.
- Review hotspots as SAFE or FIXED only after checking the actual context.
- Inspect measures, quality gate status, settings, tags, and profile/gate associations when the user is asking about project configuration or analysis behavior.
Apply mutations carefully.
- Prefer --dry-run first for bulk or risky changes.
- Add a short, actionable comment describing why the transition is valid.
- Remember that quality gate/profile changes, settings changes, and tag changes generally require stronger project permissions than read-only inspection.
- If needed, make changes to sonar-project.properties or source code to fix root causes, exclude false positives, or adjust the analysis surface.
Verify the post-change state.
- Re-run summary or the relevant list/detail command.
- If you changed sonar-project.properties or source code, wait for or trigger a fresh Sonar analysis so stale findings can disappear naturally.

Bundled resources

scripts/manage_sonar_findings.py

Repository-agnostic helper for Sonar issue and hotspot triage.

Supported commands:

summary
list-issues
issue-changelog
comment-issue
assign-issue
set-issue-tags
list-hotspots
show-hotspot
transition-issue
review-hotspot
measures
measures-history
project-info
ce-component
ce-task
project-analyses
tsconfig-warning-check
quality-gate-status
list-quality-gates
get-quality-gate
set-quality-gate
unset-quality-gate
list-quality-profiles
quality-profile-changelog
set-quality-profile
unset-quality-profile
settings-values
settings-definitions
settings-set
settings-reset
search-project-tags
set-project-tags
api-call