CLI-115 Generic API tool for any sonarqube cloud api

[subdavis]

General API client using built-in templates

Give power users the ability to build reusable automations and agent skills to do anything through the SonarQube Cloud API.

Slack thread: https://sonarsource.slack.com/archives/C0ADT7VMGHW/p1772447653087179

Template variables

• {organization}
• {project}

Examples

• sonar api get '/api/issues/search?projects={project}&organization={organization}
• sonar api post '/api/user_tokens/generate' --data '{"name":"test-cli-token"}'
• sonar api get '/api/system/status'
• sonar api get '/api/organizations/search?member=true'
• sonar api get '/sca/releases?projectKey={project}'

V1 vs V2 Behavior

• v1 endpoints take url params or form data
• v2 endpoints take JSON body
• endpoints that do NOT begin with /api use SONARCLOUD_API_URL
• This tool figures out which to use so the user doesn't have to know.

[hashicorp-vault-sonar-prod]

CLI-115

[sonarqube-agent]

Remediation Agent Summary 📊

🤖 To review: The 1 issues found require manual fixes.

Issues requiring manual fix (1)

Quality	Issue
Maintainability 🟡 Low	Prefer `String#replaceAll()` over `String#replace()`. Why is this an issue? View this issue in SonarQube Cloud

Note

Help us improve the Agent!
Have a suggestion or found an issue? Share your feedback here.

[damien-urruty-sonarsource]

Hi @subdavis! Thanks for the contribution 🙏

We are reconsidering our command tree and discussing with the team what the top-level commands should be. We will definitely consider this PR and use case in the reflection. Give me a couple of days and I will come back to you

[damien-urruty-sonarsource]

@subdavis small update, we have this epic planned at the beginning of Q2: https://sonarsource.atlassian.net/browse/CLI-100. We likely won't touch this PR until then

[kirill-knize-sonarsource]

Auth is not compliant to principles. Auth resolver should be used.

[kirill-knize-sonarsource]

Reviewed.

[sonar-review-alpha]

Summary

This PR adds a generic sonar api command enabling power users to make authenticated HTTP requests to any SonarQube/SonarCloud API endpoint directly from the CLI. The command accepts an HTTP method (GET, POST, PATCH, PUT, DELETE), an endpoint path, and optional JSON data for the request body.

The implementation includes smart automatic routing: it detects whether an endpoint uses the V1 API (form-encoded request body) or V2 API (JSON body) based on the path, so users don't need to know the API version differences. For SonarCloud, it correctly routes requests to either sonarcloud.io or api.sonarcloud.io depending on the endpoint pattern. The tool includes input validation, optional verbose/debug mode for troubleshooting, and comprehensive test coverage for both successful requests and error cases.

What reviewers should know

Where to start reading:

1. src/cli/commands/api/api.ts — the command handler; shows all user-facing validation and the content-type determination logic that differentiates V1 from V2 APIs
2. src/sonarqube/client.ts — the new genericRequest() method; handles the actual HTTP work, request/response debugging, and error handling
3. src/lib/auth-resolver.ts — the resolveFromEndpoint() function; implements SonarCloud's split-host routing (/api endpoints → sonarcloud.io, others → api.sonarcloud.io)

Key design decisions to review:

• Content-type logic: /api/v2/ and non-/api/ endpoints use JSON; /api/ (V1) uses form-encoded. This eliminates user confusion about API versions.
• Form data conversion: When using form content-type, JSON input is transformed to URLSearchParams for the request body.
• SonarCloud endpoint resolution: Since SonarCloud uses separate hosts for /api endpoints vs. others, the client automatically picks the right base URL.
• Debug mode: Sensitive headers (Authorization) are redacted in debug output to prevent token leaks.

Test coverage:

• Integration tests (tests/integration/specs/api/api.test.ts) validate command-line behavior, auth requirements, and HTTP method correctness
• Unit tests cover the API command validation logic, content-type routing, and client request building
• No edge cases are left untested (invalid methods, missing slashes, wrong data types, etc.)

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

---

• 🐟 April Fools' persona mode!

[subdavis]

CRITICAL—Token Exposure. The --verbose flag logs headers and bodies to stderr. Make sure tokens are redacted. I've survived three bear attacks; I know the importance of not leaving your scent around.

See above

HIGH—Content-Type Misrouting. If the heuristic guesses wrong, requests silently fail or behave unexpectedly. Users won't know why their payload didn't work. This needs test coverage for as many real endpoints as possible.

True! After looking at the existing API specs, I believe the heuristic is correct, but someone else should verify. I believe there's value in intelligently handling content-type instead of making this the user's responsibility.

[subdavis]

sonar api QA Runbook

Manual QA for the sonar api <method> <endpoint> command against SonarQube Cloud (read-only).

---

1. Authentication and Project Health

sonar api get "/api/authentication/validate"
sonar api get "/api/qualitygates/project_status?projectKey=SonarSource_sonarqube-cli"
sonar api get "/api/favorites/search"

2. Issue Triage

sonar api get "/api/issues/search?componentKeys=SonarSource_sonarqube-cli&ps=5&s=SEVERITY"
sonar api get "/api/issues/changelog?issue=AZ0GStU__WfdhTH6JEc0"
sonar api get "/api/issues/tags?organization=sonarsource&ps=10"

3. Rules and Quality Profiles

sonar api get "/api/rules/search?languages=ts&ps=3&organization=sonarsource"
sonar api get "/api/qualityprofiles/search?language=ts&organization=sonarsource"
sonar api get "/api/languages/list"

4. Metrics and Measures

sonar api get "/api/measures/component?component=SonarSource_sonarqube-cli&metricKeys=coverage,ncloc,bugs,vulnerabilities,code_smells"
sonar api get "/api/measures/component_tree?component=SonarSource_sonarqube-cli&metricKeys=ncloc,coverage&ps=5&s=metric,name&metricSort=ncloc&metricSortFilter=withMeasuresOnly&asc=false"
sonar api get "/api/metrics/search?ps=5"

5. V2 APIs and User Info

sonar api get "/api/v2/sca/enabled?project=SonarSource_sonarqube-cli"
sonar api get "/api/v2/sca/feature-enabled?organization=sonarsource"
sonar api get "/api/v2/clean-code-policy/mode?projectKey=SonarSource_sonarqube-cli"
sonar api get "/api/v2/users-management/users?pageSize=3"
sonar api get "/api/v2/system/health"
sonar api get "/api/v2/authorizations/groups?organization=sonarsource"
sonar api get "/api/users/current"
sonar api get "/api/system/status"

6. Security Hotspots and Analysis

sonar api get "/api/hotspots/search?projectKey=SonarSource_sonarqube-cli"
sonar api get "/api/ce/component?component=SonarSource_sonarqube-cli"
sonar api get "/api/duplications/show?key=SonarSource_sonarqube-cli:src/index.ts"
sonar api get "/api/components/search?qualifiers=TRK&organization=sonarsource&q=sonarqube-cli&ps=3"
sonar api get "/api/authentication/validate" -v

---

#	Story	Endpoints	Status
1	Auth & project health	authentication/validate, qualitygates/project_status, favorites/search	Pass
2	Issue triage	issues/search, issues/changelog, issues/tags	Pass
3	Rules & quality profiles	rules/search, qualityprofiles/search, languages/list	Pass
4	Metrics & measures	measures/component, measures/component_tree, metrics/search	Pass
5	V2 APIs & user info	v2/sca/* (404 expected), v2/users-management/* (404 expected), users/current, system/status	Pass
6	Security & analysis	hotspots/search, ce/component, duplications/show, components/search	Pass

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
83.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Conclusion: Solid feature with good test coverage and well-thought-out routing logic. There is one bug to fix before merge: Content-Type is being sent on bodyless requests.

🗣️ Give feedback

[kirill-knize-sonarsource]

LGTM!
Thanks a lot for this valuable contribution!