What permissions does the SonarCloud API token need?

The token must have 'Administer Security Hotspots' and 'Administer Issues' permissions for the specific projects you are triaging.

Can I test the updates before they go live?

Yes, the skill includes a --dry-run flag that simulates the process and shows you exactly which changes would be made without calling the API.

Is this compatible with the SonarCloud Security Audit skill?

Perfectly. The Triage skill is designed to ingest the CSV output generated by the SonarCloud Security Audit skill once the triage columns are added.

How does the skill match CSV rows to SonarCloud issues?

The skill intelligently parses the URL column in your CSV to extract the unique Issue or Hotspot keys required by the SonarCloud API.

What happens if a transition is invalid in SonarCloud?

If a status transition is not allowed (e.g., trying to close an already closed issue), the script logs a 400 error for that row and continues with the remaining updates.

SonarCloud Security Triage

Name: SonarCloud Security Triage
Author: NASA-PDS

byNASA-PDS

0•

Security & Testing

Applies bulk triage decisions to SonarCloud security hotspots and vulnerabilities using CSV-based review data and API automation.

The SonarCloud Security Triage skill streamlines the security remediation workflow by allowing developers to apply bulk status changes to security issues directly from a structured CSV file. It bridges the gap between manual security audits and SonarCloud's reporting interface, enabling teams to process hundreds of items—such as marking hotspots as safe or vulnerabilities as 'won't fix'—efficiently via the SonarCloud API. This tool is especially powerful for large-scale projects where UI-based updates are time-prohibitive, offering a programmatic way to include reviewer comments and audit trails back into the SonarCloud ecosystem.

Key Features

01Automatic extraction of issue keys from SonarCloud URLs

02Bulk status updates for Security Hotspots (TO_REVIEW to REVIEWED)

03Dry-run mode to preview API changes before application

04Transition management for Vulnerabilities (Confirm, False Positive, Won't Fix, Resolve)

050 GitHub stars

06Comprehensive logging of success, failure, and rate-limiting handling

Use Cases

01Mass-closing legacy security hotspots with standard 'Safe' justifications

02Synchronizing offline spreadsheet-based security reviews with the SonarCloud dashboard

03Applying hundreds of triage decisions after a team-wide security audit session

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add nasa-pds/pds-agent-skills sonarcloud-security-triage

For use in Claude.ai and ChatGPT

Key Features

01Automatic extraction of issue keys from SonarCloud URLs

02Bulk status updates for Security Hotspots (TO_REVIEW to REVIEWED)

03Dry-run mode to preview API changes before application

04Transition management for Vulnerabilities (Confirm, False Positive, Won't Fix, Resolve)

050 GitHub stars

06Comprehensive logging of success, failure, and rate-limiting handling

Use Cases

01Mass-closing legacy security hotspots with standard 'Safe' justifications

02Synchronizing offline spreadsheet-based security reviews with the SonarCloud dashboard

03Applying hundreds of triage decisions after a team-wide security audit session

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add nasa-pds/pds-agent-skills sonarcloud-security-triage

For use in Claude.ai and ChatGPT