CLI-115 Generic API tool for any sonarqube cloud api

[subdavis]

General API client using built-in templates

This is a vibe-coded proof of concept based on gh api and a similar tool I built before.

Give power users the ability to build reusable automations and agent skills to do anything through the SonarQube Cloud API.

Slack thread: https://sonarsource.slack.com/archives/C0ADT7VMGHW/p1772447653087179

Template variables

• {organization}
• {project}

Examples

• sonar api get '/api/issues/search?projects={project}&organization={organization}
• sonar api post '/api/user_tokens/generate' --data '{"name":"test-cli-token"}'
• sonar api get '/api/system/status'
• sonar api get '/api/organizations/search?member=true'
• sonar api get '/sca/releases?projectKey={project}'

V1 vs V2 Behavior

• v1 endpoints take url params or form data
• v2 endpoints take JSON body
• endpoints that do NOT begin with /api use SONARCLOUD_API_URL
• This tool figures out which to use so the user doesn't have to know.

Draft status. I'll clean up the code later if we want to pursue this.

If this feature could be considered in-scope, we can refine the interface and make sure we're covering all the edge cases.

please don't do a code review yet :)

[hashicorp-vault-sonar-prod]

CLI-115

[sonarqube-agent]

Remediation Agent Summary 📊

🤖 To review: The 1 issues found require manual fixes.

Issues requiring manual fix (1)

Quality	Issue
Maintainability 🟡 Low	Prefer `String#replaceAll()` over `String#replace()`. Why is this an issue? View this issue in SonarQube Cloud

Note

Help us improve the Agent!
Have a suggestion or found an issue? Share your feedback here.

[damien-urruty-sonarsource]

Hi @subdavis! Thanks for the contribution 🙏

We are reconsidering our command tree and discussing with the team what the top-level commands should be. We will definitely consider this PR and use case in the reflection. Give me a couple of days and I will come back to you

[sonarqubecloud]

SonarQube reviewer guide

Summary: Add a new api command enabling authenticated HTTP requests to SonarQube/SonarCloud endpoints with support for GET, POST, PATCH, DELETE methods, template variable substitution, and intelligent content-type handling.

Review Focus:

• Input validation in api.ts (method whitelist, endpoint format, data constraints) — ensure all validation paths are covered
• SonarCloud URL routing logic in resolveBaseUrl() — verify correct host selection for /api vs non-/api endpoints
• Content-Type detection (form vs JSON encoding) and form-encoding implementation in api-request.ts — this is critical for v1 API compatibility
• Template variable substitution with URI encoding in url-template.ts — ensure special characters are properly escaped
• Build script change: removing the validate step may skip linting/checks — confirm this is intentional

Start review at: src/cli/commands/api.ts. This is the command entry point that orchestrates auth resolution, template substitution, API requests, and error handling. Understanding the control flow here will clarify how the supporting modules (api-request.ts, url-template.ts) are used.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
99.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[damien-urruty-sonarsource]

@subdavis small update, we have this epic planned at the beginning of Q2: https://sonarsource.atlassian.net/browse/CLI-100. We likely won't touch this PR until then