giuseppe-trisciuoglio/developer-kit
Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.
90
90%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
severity-levels.mdplugins/developer-kit-tools/skills/sonarqube-mcp/references/
SonarQube Severity Levels Reference
Complete reference for Sonar severity levels, impact categories, and clean code attributes.
Legacy Severity Levels
The traditional SonarQube severity model used five levels:
| Severity | Priority | Action Required |
|---|---|---|
BLOCKER | Critical — must fix immediately | Block merge/deployment; fix before any release |
CRITICAL | High — fix in current sprint | Address before merging to main |
MAJOR | Medium — schedule for near term | Fix in next sprint or iteration |
MINOR | Low — fix when convenient | Address in routine maintenance |
INFO | Informational | Review and document if accepted |
New Severity Model (SonarQube 10+)
Newer versions use a Clean Code taxonomy with impact (severity on quality) and likelihood dimensions.
Impact Categories
HIGH — Significant negative effect; must be addressed promptly MEDIUM — Moderate effect; should be scheduled for resolution LOW — Minor effect; can be deferred to routine maintenance
Quality Dimensions
| Dimension | Description | Affected By |
|---|---|---|
SECURITY | Resistance to attack and data breaches | Vulnerabilities, hotspots |
RELIABILITY | Code runs as expected without failures | Bugs, error handling |
MAINTAINABILITY | Ease of change and understanding | Code smells, complexity |
Clean Code Attributes
Issues are also tagged with a clean code attribute explaining why the code is problematic:
| Attribute | Meaning |
|---|---|
CONVENTIONAL | Does not follow established conventions |
FORMATTED | Poor formatting affecting readability |
IDENTIFIABLE | Poor naming or identification |
CLEAR | Logic is hard to understand |
LOGICAL | Contains logical errors |
COMPLETE | Missing error handling or validation |
EFFICIENT | Performance or resource inefficiency |
FOCUSED | Does more than it should |
MODULAR | Poor separation of concerns |
TESTED | Lacks tests |
LAWFUL | License or legal compliance issue |
TRUSTWORTHY | Security or trust concern |
Filtering by Severity in MCP Tools
Use ONLY these values in the severities API parameter for search_sonar_issues_in_projects:
{
"severities": ["BLOCKER", "HIGH", "MEDIUM", "LOW", "INFO"]
}Important: The legacy labels
CRITICAL,MAJOR,MINORmay appear in display text and older Sonar documentation, but they are not valid filter values for theseveritiesAPI parameter.CRITICAL→ useHIGH,MAJOR→ useMEDIUM,MINOR→ useLOW.
Triage Decision Matrix
Use this matrix to decide how to handle each issue:
| Severity | Action |
|---|---|
| BLOCKER | Fix immediately — do not merge until resolved |
| CRITICAL / HIGH | Fix before merging to main branch |
| MAJOR / MEDIUM | Add to backlog with defined deadline |
| MINOR / LOW | Fix in routine cleanup or document as accepted debt |
| INFO | Review and close if informational only |
Issue Statuses for change_sonar_issue_status
The key parameter is the issue's key field from search_sonar_issues_in_projects.
| Status Value | When to Use |
|---|---|
falsepositive | Issue flagged by Sonar is not actually a problem in this context |
accept | Issue acknowledged but accepted as technical debt (replaces legacy WONT-FIX) |
reopen | Reset issue to open state |
Always require explicit user confirmation before changing issue status. Document the reason in the
commentfield.
Security Rule Tags
Security-related rules are tagged with industry standard references:
| Tag | Standard |
|---|---|
owasp-a1 through owasp-a10 | OWASP Top 10 |
cwe | Common Weakness Enumeration |
sans-top25 | SANS Top 25 Most Dangerous Software Errors |
cert | CERT Secure Coding Standards |
pci-dss | Payment Card Industry Data Security Standard |
Use show_rule with the rule key to see all tags and their implications.
Example Issue Response
{
"key": "AY1234",
"rule": "java:S2068",
"project": "payment-service",
"component": "src/main/java/PaymentService.java",
"severity": "BLOCKER",
"status": "OPEN",
"message": "Remove this hard-coded password",
"attribute": "TRUSTWORTHY",
"category": "SECURITY",
"startLine": 45,
"endLine": 45,
"created": "2025-01-15T10:30:00Z"
}Reading this response:
severity: BLOCKER+category: SECURITY→ must fix before any releaserule: java:S2068→ useshow_rulewith keyjava:S2068to get remediation guidanceattribute: TRUSTWORTHY→ clean code violation related to security trustworthiness
docs
plugins
developer-kit-ai
developer-kit-aws
agents
docs
skills
aws
aws-cli-beast
aws-cost-optimization
aws-drawio-architecture-diagrams
aws-sam-bootstrap
aws-cloudformation
aws-cloudformation-auto-scaling
aws-cloudformation-bedrock
aws-cloudformation-cloudfront
aws-cloudformation-cloudwatch
aws-cloudformation-dynamodb
aws-cloudformation-ec2
aws-cloudformation-ecs
aws-cloudformation-elasticache
references
aws-cloudformation-iam
references
aws-cloudformation-lambda
aws-cloudformation-rds
aws-cloudformation-s3
aws-cloudformation-security
aws-cloudformation-task-ecs-deploy-gh
aws-cloudformation-vpc
references
developer-kit-core
agents
commands
skills
developer-kit-devops
developer-kit-java
agents
commands
docs
skills
aws-lambda-java-integration
aws-rds-spring-boot-integration
aws-sdk-java-v2-bedrock
aws-sdk-java-v2-core
aws-sdk-java-v2-dynamodb
aws-sdk-java-v2-kms
aws-sdk-java-v2-lambda
aws-sdk-java-v2-messaging
aws-sdk-java-v2-rds
aws-sdk-java-v2-s3
aws-sdk-java-v2-secrets-manager
clean-architecture
graalvm-native-image
langchain4j-ai-services-patterns
references
langchain4j-mcp-server-patterns
references
langchain4j-rag-implementation-patterns
references
langchain4j-spring-boot-integration
langchain4j-testing-strategies
langchain4j-tool-function-calling-patterns
langchain4j-vector-stores-configuration
references
qdrant
references
spring-ai-mcp-server-patterns
spring-boot-actuator
spring-boot-cache
spring-boot-crud-patterns
spring-boot-dependency-injection
spring-boot-event-driven-patterns
spring-boot-openapi-documentation
spring-boot-project-creator
spring-boot-resilience4j
spring-boot-rest-api-standards
spring-boot-saga-pattern
spring-boot-security-jwt
assets
references
scripts
spring-boot-test-patterns
spring-data-jpa
references
spring-data-neo4j
references
unit-test-application-events
unit-test-bean-validation
unit-test-boundary-conditions
unit-test-caching
unit-test-config-properties
references
unit-test-controller-layer
unit-test-exception-handler
references
unit-test-json-serialization
unit-test-mapper-converter
references
unit-test-parameterized
unit-test-scheduled-async
references
unit-test-service-layer
references
unit-test-utility-methods
unit-test-wiremock-rest-api
references
developer-kit-php
developer-kit-project-management
developer-kit-python
developer-kit-specs
commands
docs
hooks
test-templates
tests
skills
developer-kit-tools
developer-kit-typescript
agents
docs
hooks
rules
skills
aws-cdk
aws-lambda-typescript-integration
better-auth
clean-architecture
drizzle-orm-patterns
dynamodb-toolbox-patterns
references
nestjs
nestjs-best-practices
nestjs-code-review
nestjs-drizzle-crud-generator
nextjs-app-router
nextjs-authentication
nextjs-code-review
nextjs-data-fetching
nextjs-deployment
nextjs-performance
nx-monorepo
react-code-review
react-patterns
shadcn-ui
tailwind-css-patterns
tailwind-design-system
references
turborepo-monorepo
typescript-docs
typescript-security-review
zod-validation-utilities
references
github-spec-kit