feat(sonarqube): add SonarQube plugin to marketplace

[amondnet]

Summary

• Add SonarQube CLI integration plugin (plugins/sonarqube/) with plugin manifest and skill-based activation
• Register the plugin in .claude-plugin/marketplace.json under the security category

Changes

• plugins/sonarqube/.claude-plugin/plugin.json — Plugin manifest defining MCP server configuration and metadata
• plugins/sonarqube/skills/sonarqube/SKILL.md — Skill for intelligent activation when SonarQube analysis is needed
• .claude-plugin/marketplace.json — Added sonarqube entry with keywords, tags, and source path

Test Plan

• Verify plugin manifest is valid: claude plugin validate plugins/sonarqube
• Confirm marketplace entry appears correctly in the web app
• Test skill activation triggers on SonarQube-related prompts
• Verify MCP server command launches without errors

---

Summary by cubic

Add the sonarqube plugin to the marketplace to integrate SonarQube CLI for code quality, secret scanning, and issue queries. Includes a skill for automatic activation on SonarQube- or security-related prompts.

• New Features
  • Added plugins/sonarqube/.claude-plugin/plugin.json manifest with plugin metadata.
  • Added plugins/sonarqube/skills/sonarqube/SKILL.md with CLI usage and skill triggers.
  • Registered sonarqube in .claude-plugin/marketplace.json under the security category with keywords and source path.

^{Written for commit 79dd6a2. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
claude-code-plugins	Ready	Preview, Comment	Mar 11, 2026 10:20am

[cubic-dev-ai]

1 issue found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="plugins/sonarqube/skills/sonarqube/SKILL.md">

<violation number="1" location="plugins/sonarqube/skills/sonarqube/SKILL.md:4">
P2: The skill workflow requires the Edit tool, but Edit is not allowed in frontmatter.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: The skill workflow requires the Edit tool, but Edit is not allowed in frontmatter.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At plugins/sonarqube/skills/sonarqube/SKILL.md, line 4:

<comment>The skill workflow requires the Edit tool, but Edit is not allowed in frontmatter.</comment>

<file context>
@@ -0,0 +1,110 @@
+---
+name: Analyzing Code with SonarQube CLI
+description: Run SonarQube CLI to detect code quality issues, scan for hardcoded secrets, and manage SonarQube/SonarCloud projects. Use when the user mentions SonarQube, SonarCloud, code quality issues, secret scanning, SAST, static analysis, hardcoded credentials, or wants to query issues by severity or branch. Triggers on mentions of sonar, sonarqube, sonarcloud, secret detection, code smells, security hotspots, or quality gates.
+allowed-tools: Bash, Read
+---
+
</file context>

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request adds a new plugin for integrating the SonarQube CLI, enhancing the platform's capabilities for code quality analysis and security. The plugin features skill-based activation and is registered in the marketplace for easy access.

Highlights

• New Plugin Integration: Introduces the SonarQube CLI integration as a new plugin, enabling code quality analysis, secret scanning, and issue tracking.
• Skill-Based Activation: Implements a skill for intelligent activation of the SonarQube plugin based on user prompts related to SonarQube or security concerns.
• Marketplace Inclusion: Registers the SonarQube plugin in the marketplace under the 'security' category, making it discoverable and accessible to users.

Changelog

• .claude-plugin/marketplace.json
  • Registered sonarqube entry with keywords, tags, and source path.
• plugins/sonarqube/.claude-plugin/plugin.json
  • Added plugin manifest defining MCP server configuration and metadata.
• plugins/sonarqube/skills/sonarqube/SKILL.md
  • Added skill for intelligent activation when SonarQube analysis is needed.

Activity

• Plugin manifest added for SonarQube CLI integration.
• Skill implemented for intelligent plugin activation.
• Plugin registered in the marketplace under the security category.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new SonarQube plugin by adding its definition to the marketplace, creating a plugin manifest, and providing a skill file for its usage. The changes are well-structured and clear. I have one suggestion for the SKILL.md file to improve the recommended installation command by promoting a safer security practice and enhancing clarity in documentation, aligning with established guidelines.

_{Note: Security Review has been skipped due to the limited scope of the PR.}

[gemini-code-assist]

Piping curl to bash is a security risk as it executes a script directly from the web without allowing for inspection. To promote safer practices, it's better to instruct the user to download the script first, and then execute it. This allows for an optional inspection step, improving clarity and preventing potential user error by making the execution process explicit.

I recommend replacing this block with the following:

# Download the installer script
curl -fsSL -o sonar-installer.sh https://sonar.io/install
# Then, after inspection, run it:
# bash sonar-installer.sh

References

1. In documentation, clearly distinguish between commands intended for an interactive shell and those for a standard command-line interface to improve clarity and prevent user error.