Quick Start
Get your first code quality analysis in under 5 minutes.
Your First Scanâ
Step 1: Open Your Projectâ
Navigate to your project directory and start your AI assistant:
cd /path/to/your/project
claude
Step 2: Run Auto-Setup Scanâ
For your first scan of a new project, use autoSetup: true:
Scan this project with Bob the Fixer, use autoSetup: true since this is the first scan
Bob the Fixer will automatically:
- Discover your project type, languages, and frameworks
- Create a SonarQube project with an appropriate quality gate
- Generate a project token
- Run the analysis
- Return a summary of all issues found
Step 3: Review the Resultsâ
After scanning, you'll see a comprehensive report:
đ SonarQube Analysis Complete
ââââââââââââââââââââââââââââââ
Project: my-awesome-app
Quality Gate: â FAILED
đ Summary:
Total Issues: 47
đ´ BLOCKER: 2 (security vulnerabilities)
đ CRITICAL: 5 (critical bugs)
đĄ MAJOR: 15 (significant code smells)
đĸ MINOR: 20 (minor improvements)
âšī¸ INFO: 5 (suggestions)
đ Metrics:
Coverage: 67.3%
Duplication: 4.2%
Tech Debt: 3d 4h
đĄ Recommendation: Start with BLOCKER and CRITICAL issues
Fixing Issuesâ
Get Issue Detailsâ
Ask for details on specific issues:
Show me the details of the BLOCKER issues
Bob the Fixer provides:
- Issue description and severity
- File path and line number
- Code context (lines around the issue)
- Rule explanation from SonarQube
- Compliant vs non-compliant code examples
- Suggested fix approach
Example response:
đ´ BLOCKER: SQL Injection Vulnerability
âââââââââââââââââââââââââââââââââââââââ
Issue Key: AYx123abc456
File: src/db/users.ts:45
Rule: typescript:S3649
đ Affected Code:
ââââââââââââââââââââââââââââââââââââââ
43 â async function getUser(id: string) {
44 â const query = `SELECT * FROM users
> 45 â WHERE id = '${id}'`; // â Vulnerable
46 â return db.execute(query);
47 â }
ââââââââââââââââââââââââââââââââââââââ
đ Rule Explanation:
User-provided data should never be directly
concatenated into SQL queries. This allows
attackers to inject malicious SQL commands.
â
Compliant Example:
const query = 'SELECT * FROM users WHERE id = ?';
return db.execute(query, [id]);
đ§ Suggested Fix:
Use parameterized queries instead of string
interpolation. Replace template literal with
placeholder and pass id as parameter.
Apply the Fixâ
Ask your AI assistant to fix the issue:
Fix this SQL injection vulnerability using parameterized queries
The AI will:
- Read the affected file
- Apply the suggested fix
- Show you the changes made
Verify the Fixâ
Run another scan to confirm (use autoSetup: false for subsequent scans):
Scan again with autoSetup: false to verify the fix
Common Workflowsâ
Focus on Security Issuesâ
Show me all security vulnerabilities and hotspots in this project
Uses: sonar_scan_project with typeFilter: ["VULNERABILITY"] + sonar_get_security_hotspots
Analyze Technical Debtâ
What's the technical debt situation? Show me the breakdown and time estimates
Uses: sonar_get_technical_debt with budget analysis
Find Code Duplicationâ
Which files have the most duplicated code? Show me the top 10
Uses: sonar_get_duplication_summary sorted by lines
Check Quality Gateâ
Did we pass the quality gate? What failed?
Uses: sonar_get_quality_gate for status and conditions
Analyze Issue Patternsâ
Group all issues by fixability and show me what I can auto-fix
Uses: sonar_analyze_patterns with groupBy: "fixability"
Generate Quality Reportâ
Generate a detailed quality report for this project
Uses: sonar_generate_report with format: "detailed"
Tool Usage Patternsâ
First Scan vs Subsequent Scansâ
| Scenario | Command |
|---|---|
| First scan of new project | autoSetup: true |
| Re-scan after fixes | autoSetup: false, projectPath: "/full/path" |
| Scan specific severities | Add severityFilter: ["BLOCKER", "CRITICAL"] |
| Scan specific types | Add typeFilter: ["BUG", "VULNERABILITY"] |
Issue Investigation Flowâ
Severity Priorityâ
Fix issues in this order:
- BLOCKER - Security vulnerabilities, critical bugs
- CRITICAL - High-impact bugs
- MAJOR - Code smells affecting maintainability
- MINOR - Style issues, minor improvements
- INFO - Suggestions and best practices
Example: Complete Workflowâ
Here's a complete session fixing multiple issues:
User: Scan my TypeScript project for the first time
AI: I'll run the first scan with auto-setup enabled.
[Uses sonar_scan_project with autoSetup: true]
Found 23 issues: 1 BLOCKER, 3 CRITICAL, 12 MAJOR, 7 MINOR.
The BLOCKER is a SQL injection in src/api/users.ts:67.
Would you like me to show the details?
User: Yes, show the blocker details
AI: [Uses sonar_get_issue_details]
The issue is unsafe string concatenation in a database query.
Here's the code context and suggested fix...
Shall I fix this now?
User: Yes, fix it
AI: [Edits src/api/users.ts to use parameterized queries]
Fixed! Changed from template literal to parameterized query.
Would you like me to re-scan to verify?
User: Yes, scan again
AI: [Uses sonar_scan_project with autoSetup: false]
â
BLOCKER resolved!
Remaining: 3 CRITICAL, 12 MAJOR, 7 MINOR.
Want me to tackle the CRITICAL issues next?
Troubleshooting First Scanâ
"No project configuration found"â
Run project discovery first:
Analyze this project structure and recommend configuration
Uses: sonar_project_discovery with deep: true
"Source files not found"â
Generate a custom config:
Generate a sonar-project.properties file for this project with sources in src/
Uses: sonar_generate_config
"Authentication failed"â
Check your token:
Diagnose the SonarQube connection and permissions
Uses: sonar_diagnose_permissions
Next Stepsâ
- Configuration - Customize scan settings
- SonarQube Integration - All available tools
- Troubleshooting - Common issues and solutions