sonarqube
Set up SonarQube in your project.
SonarQube Setup
Workflow
Use this skill when a repository needs SonarQube scanning added to its GitHub Actions workflow. Keep the work read-only until the user confirms the target repository already has a SonarQube project in HCP.
- Verify the SonarQube project exists at https://console.hcp.uhg.com/products/sonarqube.
- Capture the required inputs before editing files:
- AIDE ID
- GitHub organization
- GitHub repository name
- source directory to scan, usually
src - test and generated-file exclusion patterns
- Confirm the project naming values:
- Project Name: match the GitHub repository name.
- Project Key:
com.optum.{AIDE_ID}:{Project Name} - GitHub Repository:
github.com/{ORG_NAME}/{REPO_NAME}
- Add or update the GitHub Actions workflow with a Dojo, EPL, or company SonarQube scan action path. Search this repository for
github-workflows-dojo360-*skills and review https://github.com/uhg-actions/sonarqube-scan-action for company scan action behavior. - Add
sonar-project.propertiesat the repository root or at the CI working directory. Start from./templates/sonar-project.properties. - Add
vitals.yamlat the repository root. Start from./templates/vitals.yaml. - Run the repository's normal validation command and verify the workflow syntax before pushing.
Required Files
Create or update sonar-project.properties with the project key, quality gate timeout, source path, and exclusions:
sonar.projectKey=com.optum.{AIDE_ID}:{Project Name}
sonar.qualitygate.timeout=600
sonar.sources=src
sonar.exclusions=**/*.test.*,**/*.spec.*,**/__tests__/**,**/__mocks__/**
Create or update vitals.yaml with the same AIDE ID and project key:
apiVersion: v1
metadata:
askId: {AIDE_ID}
caAgileId: poc
projectKey: com.optum.{AIDE_ID}:{Project Name}
projectFriendlyName: {Project Name}
componentType: code
targetQG: GATE_00
Constraints
- MUST NOT invent the AIDE ID, organization, repository name, or SonarQube project key.
- MUST NOT add local secret values to workflow files.
- MUST keep scan configuration aligned between
sonar-project.properties,vitals.yaml, and the GitHub Actions workflow. - MUST route destructive repository changes through the normal branch and pull request workflow.
Example
For repository github.com/optum-tech-compute/example-api with AIDE ID AIDE_123456, use:
- Project Name:
example-api - Project Key:
com.optum.AIDE_123456:example-api - GitHub Repository:
github.com/optum-tech-compute/example-api
After the workflow runs, review scan results at https://sonar.optum.com and confirm the quality gate at https://sonar.optum.com/quality_gates/show/GATE_00.
Official Documentation
https://docs.hcp.uhg.com/sonarqube https://docs.hcp.uhg.com/sonarqube/faq https://docs.hcp.uhg.com/sonarqube/getting-started
Related Assets
Label Taxonomy Audit
Audit GitHub label usage across repositories to identify inconsistencies, redundancies, and missing labels, then recommend a standardized taxonomy.
Owner: community
Epic Progress Dashboard
Generate comprehensive epic progress dashboards showing completion status, velocity trends, blocker analysis, and burn-down forecasts for multi-sprint initiatives and large features.
Owner: thudak_uhg
Backlog Refinement Assistant
Facilitates backlog grooming sessions by analyzing issues for readiness, suggesting improvements to acceptance criteria, estimating complexity, and identifying dependencies before sprint planning.
Owner: thudak_uhg
Daily Standup Preparation
Comprehensive standup preparation assistant that aggregates blockers, PR status, issue progress, and team updates into a concise, actionable format for daily standup meetings.
Owner: thudak_uhg
Dependency Analysis & Critical Path
Map dependencies between issues and PRs to identify critical paths, bottlenecks, and risk areas for sprint and epic planning.
Owner: community
Duplicate Detection & Consolidation
Identify duplicate or overlapping pull requests and issues across repositories using similarity analysis, and recommend consolidation strategies to reduce redundant work.
Owner: community

