Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From sonarqube
Searches SonarQube projects for software composition analysis (SCA) dependency risks and associated releases. Supports branches/PRs; requires Advanced Security and MCP integration.
npx claudepluginhub sonarsource/sonarqube-agent-plugins --plugin sonarqubeHow this skill is triggered — by the user, by Claude, or both
Slash command
/sonarqube:sonar-dependency-risks [project-key?] [--branch name] [--pr id][project-key?] [--branch name] [--pr id]This skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Search for dependency risks (software composition analysis issues) in a SonarQube project, paired with the releases that appear in the analysed project, application, or portfolio.
Evaluates project dependencies for supply chain risks including single maintainers, unmaintained packages, low popularity, and high-risk features. Use for pre-audit scoping and attack surface assessment.
Audits project dependencies for supply chain risks like single maintainers, unmaintained status, low popularity, risky features, and past CVEs. Use for attack surface assessment and security scoping.
Audits project dependencies for supply chain risks like single maintainers, unmaintained status, low popularity, high-risk features, and past CVEs. Use for attack surface assessment and security scoping.
Share bugs, ideas, or general feedback.
Search for dependency risks (software composition analysis issues) in a SonarQube project, paired with the releases that appear in the analysed project, application, or portfolio.
sonar-dependency-risks # risks in the current project
sonar-dependency-risks my-project # risks in a specific project
sonar-dependency-risks my-project --branch feature/auth
sonar-dependency-risks my-project --pr 42
This skill requires SonarQube Advanced Security (available on SonarQube Cloud Enterprise plan, or SonarQube Server 2025.4 Enterprise edition or higher), the SonarQube MCP Server to be configured, and the tool mcp__sonarqube__search_dependency_risks to be available in your session.
Before proceeding, verify the tool is accessible. If it is not, do not attempt to call any CLI commands or invent alternatives, and show the user:
Unable to fetch dependency risks.
Possible causes:
- This feature requires SonarQube Advanced Security — available on SonarQube Cloud Enterprise edition, or SonarQube Server 2025.4 Enterprise or higher
- MCP server not registered — invoke the sonar-integrate skill to configure the SonarQube MCP Server, then restart the agent session
- Credentials not configured — invoke the sonar-integrate skill
- Project key is wrong or no default project in MCP config — pass an explicit key, or verify
sonar-project.properties/ re-run the sonar-integrate skill for this project
Then ask the user (yes/no) whether to run the sonar-integrate skill now. If they confirm, invoke the sonar-integrate skill yourself and follow it end-to-end in this session, then ask the user to restart the agent session so the new MCP tools become available; if they decline, stop.
MCP tools sometimes do not require projectKey after the sonar-integrate skill has stored the default project for this workspace. Resolve a key only when you must pass it (tool schema requires it, or the user targets another project):
sonar.projectKey in sonar-project.properties at the repo root.projectKey in MCP calls and rely on the integration default.| Flag | Maps to parameter |
|---|---|
--branch <name> | branchKey |
--pr <id> | pullRequestKey |
mcp__sonarqube__search_dependency_risksInclude projectKey only if you resolved one in Step 1 and the tool requires it; otherwise omit it.
{
"projectKey": "<only-if-required>",
"branchKey": "<name>", // if --branch was given
"pullRequestKey": "<id>" // if --pr was given
}
Omit projectKey from the payload when the integration default applies. Omit unused optional fields.
If risks are found, group by severity and present as a table:
## Dependency Risks — `my-project` (branch: `main`)
Found **5 dependency risk(s)**:
### Critical
| Dependency | Version | Risk | CVE |
| ---------- | ------- | --------------------- | -------------- |
| log4j-core | 2.14.1 | Remote code execution | CVE-2021-44228 |
### High
| Dependency | Version | Risk | CVE |
| ---------------- | ------- | ----------------------------- | -------------- |
| jackson-databind | 2.12.3 | Deserialization vulnerability | CVE-2021-46877 |
| commons-text | 1.9 | Remote code execution | CVE-2022-42889 |
### Medium
| Dependency | Version | Risk | CVE |
| ------------- | ------- | ----------------- | -------------- |
| spring-web | 5.3.18 | DoS vulnerability | CVE-2022-22965 |
| netty-handler | 4.1.68 | SSL/TLS issue | CVE-2021-43797 |
Omit columns that are not present in the response. Omit severity sections that have no risks.
If no risks are found:
## Dependency Risks — `my-project`
✅ No dependency risks found.
<dependency> to a safe version."sonar.projectKey in the repo) with filters as needed — sonar list issues always requires -p."