giuseppe-trisciuoglio/developer-kit

Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.

Quality

90%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Risky

Do not use without reviewing

This version of the tile failed moderation

Moderation pipeline encountered an internal error

SonarQube MCP — LLM Tool Selection Guide

Name: giuseppe-trisciuoglio/developer-kit
Rating: 90.85333333333334 (1 reviews)
Author: giuseppe-trisciuoglio

Optimized context for LLM agents to select the right MCP tool, map parameters, and interpret responses efficiently.

Tool Selection Decision Tree

User wants to...
├── check if code is ready to merge/deploy
│   └── get_project_quality_gate_status (projectKey + pullRequest)
│
├── find issues in a project or PR
│   └── search_sonar_issues_in_projects (projects + severities + pullRequestId)
│
├── analyze code before committing
│   └── analyze_code_snippet (projectKey + fileContent + language)
│
├── understand why a rule flagged code
│   └── show_rule (key: "<language>:<rule-id>")
│
├── get project health metrics (coverage, bugs, etc.)
│   └── get_component_measures (projectKey + metricKeys)
│
└── accept or dismiss a specific issue
    └── change_sonar_issue_status (key + status + comment)

Tool Quick Reference

get_project_quality_gate_status

Purpose: Verify if a project passes its defined quality gate.

Required: one of projectKey, projectId, or analysisId

Optional: pullRequest (string, PR number as string)

Note: No branch parameter exists on this tool. Without pullRequest or analysisId, the default branch status is returned.

Key output fields:

projectStatus.status — "OK" or "ERROR" (or "WARN" in older versions)
projectStatus.conditions[] — array of conditions, each with metricKey, status, actualValue, errorThreshold, comparator

When to use: Before merge decisions, deployment gates, release checks.

search_sonar_issues_in_projects

Purpose: Find and filter issues across projects.

All parameters optional — omit projects to search all accessible projects.

Key parameters:

projects — ["project-key-1", "project-key-2"]
severities — ["BLOCKER", "HIGH", "MEDIUM", "LOW", "INFO"]
pullRequestId — string (PR number), not integer
p — page number (start at 1)
ps — page size (default: 100, max: 500)

Key output fields per issue:

key — unique issue ID (used in change_sonar_issue_status)
rule — rule key (used in show_rule); note: field is named ruleKey in analyze_code_snippet responses
severity — legacy severity value
status — current issue status (display only; use change_sonar_issue_status to change it)
message — human-readable description
attribute — clean code attribute
category — SECURITY, RELIABILITY, MAINTAINABILITY
component — file path within the project
startLine, endLine — location in the file

Pagination: Check paging.total and paging.pageSize in response; iterate p while paging.pageIndex * paging.pageSize < paging.total.

When to use: Issue triage, PR review, sprint cleanup, security audits.

analyze_code_snippet

Purpose: Run SonarQube analysis on a raw code string without CI.

Required: projectKey, fileContent (full file content as string)

Optional: language (always specify for best accuracy), codeSnippet (narrow results to a sub-range of the file)

Language values: javascript, typescript, python, java, go, php, cs (C#), cpp, kotlin, ruby, scala, swift

Key output fields per issue:

ruleKey — use with show_rule for explanation (note: rule in search_sonar_issues_in_projects, ruleKey here)
severity — issue severity
cleanCodeAttribute — clean code attribute
impacts — object mapping quality dimension to severity level
startLine — line number in the file
quickFixes — boolean, whether a quick fix is available

Limitations:

Analyzes file content in isolation, without full project context
Some rules require cross-file analysis and will not fire
Results may differ slightly from full CI analysis

When to use: Shift-left review, pre-commit checks, code review assistance.

show_rule

Purpose: Retrieve full documentation for a SonarQube rule.

Required: key in format <language>:<rule-id>

Language prefixes: java, javascript, typescript, python, go, php, cs, cpp, kotlin, ruby

Examples: java:S2068, typescript:S1082, python:S5659, go:S4036

Key output fields:

name — human-readable rule name
type — BUG, VULNERABILITY, CODE_SMELL, SECURITY_HOTSPOT
severity — legacy severity
description — full explanation of the risk and rationale
tags — standards: cwe, owasp-a1, sans-top25, cert
remediationEffort — time estimate for fix (e.g., "30min")
codeExamples — array with noncompliant and compliant code examples

When to use: After finding an unfamiliar rule key, before dismissing an issue, for developer education.

get_component_measures

Purpose: Retrieve specific metrics for a project, directory, or file.

Required: projectKey (project key), metricKeys (array)

Optional: pullRequest (string, for PR-scoped metrics)

Note: No branch parameter exists on this tool.

Common metric key groups:

Overall health: bugs, vulnerabilities, code_smells, coverage, duplicated_lines_density, ncloc

Ratings: reliability_rating, security_rating, sqale_rating

New code only: new_bugs, new_vulnerabilities, new_coverage, new_duplicated_lines_density

Complexity: complexity, cognitive_complexity

When to use: Project health dashboards, sprint reviews, release readiness checks.

change_sonar_issue_status

Purpose: Update the status of a specific issue.

Required: key (issue key from search_sonar_issues_in_projects response field key), status

Valid status values: falsepositive, accept, reopen

Optional: comment (strongly recommended — always document the reason)

Requires: SonarQube user permissions to change issue status.

When to use: Issue triage sign-off, false positive management, technical debt acknowledgment.

Never call this tool without explicit user confirmation and a documented reason.

Common Agent Patterns

Pattern 1: Gate + Issues (PR review)

1. get_project_quality_gate_status (projectKey, pullRequest)
2. If status == "ERROR":
   a. search_sonar_issues_in_projects (projects, pullRequestId)
   b. Group by category, present to user
   c. For unfamiliar rules: show_rule (key)

Pattern 2: Shift-Left (pre-commit)

1. analyze_code_snippet (projectKey, fileContent, language)
2. For each finding:
   a. show_rule (ruleKey) if severity >= HIGH or rule is unfamiliar
3. Present findings, propose fixes
4. Wait for user to apply fixes before commit

Pattern 3: Project Triage

1. search_sonar_issues_in_projects (projects, severities: ["BLOCKER"])
2. For each BLOCKER: show_rule (rule) to get remediation
3. Repeat for HIGH, MEDIUM
4. get_component_measures (projectKey, metricKeys: [...ratings]) for overall health

Pattern 4: Release Gate Check

1. get_project_quality_gate_status (projectKey)
2. get_component_measures (projectKey, metricKeys: ["bugs", "vulnerabilities", "coverage"])
3. Report combined gate + metrics summary

Parameter Mapping Cheatsheet

User Says	Tool	Key Parameter
"project my-app"	any	`projectKey: "my-app"`
"PR #234"	quality gate / search	`pullRequest: "234"` / `pullRequestId: "234"`
"on main branch"	quality gate	no branch param; omit `pullRequest` to get default branch
"critical issues"	search	`severities: ["BLOCKER", "HIGH"]`
"rule java:S2068"	show_rule	`key: "java:S2068"`
"issue AY1234"	change_status	`key: "AY1234"`
"TypeScript code"	analyze_snippet	`language: "typescript"`
"mark as false positive"	change_status	`status: "falsepositive"`
"accept as debt"	change_status	`status: "accept"`

SonarQube Server vs SonarCloud Differences

Feature	SonarQube Server	SonarCloud
Project key format	Usually short slug	`<org>_<repo>` (e.g., `my-org_my-repo`)
PR analysis	Supported	Supported
Organization parameter	Not applicable	Required for some APIs
`analysisId`	Available	Available
Branch analysis	Supported	Supported