SkillRepo
Sign InSign Up
Catalog
affaan-m/quarkus-verification

affaan-m

quarkus-verification

Verification loop for Quarkus projects: build, static analysis, tests with coverage, security scans, native compilation, and diff review before release or PR.

global
0installs0uses~2.6k
v1.0Saved May 15, 2026

Quarkus Verification Loop

Run before PRs, after major changes, and pre-deploy.

When to Activate

  • Before opening a pull request for a Quarkus service
  • After major refactoring or dependency upgrades
  • Pre-deployment verification for staging or production
  • Running full build → lint → test → security scan → native compilation pipeline
  • Validating test coverage meets thresholds (80%+)
  • Testing native image compatibility

Phase 1: Build

# Maven
mvn clean verify -DskipTests

# Gradle
./gradlew clean assemble -x test

If build fails, stop and fix compilation errors.

Phase 2: Static Analysis

Checkstyle, PMD, SpotBugs (Maven)

mvn checkstyle:check pmd:check spotbugs:check

SonarQube (if configured)

mvn sonar:sonar \
  -Dsonar.projectKey=my-quarkus-project \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=${SONAR_TOKEN}

Common Issues to Address

  • Unused imports or variables
  • Complex methods (high cyclomatic complexity)
  • Potential null pointer dereferences
  • Security issues flagged by SpotBugs

Phase 3: Tests + Coverage

# Run all tests
mvn clean test

# Generate coverage report
mvn jacoco:report

# Enforce coverage threshold (80%)
mvn jacoco:check

# Or with Gradle
./gradlew test jacocoTestReport jacocoTestCoverageVerification

Test Categories

Unit Tests

Test service logic with mocked dependencies:

@ExtendWith(MockitoExtension.class)
class UserServiceTest {
  @Mock UserRepository userRepository;
  @InjectMocks UserService userService;

  @Test
  void createUser_validInput_returnsUser() {
    var dto = new CreateUserDto("Alice", "alice@example.com");

    // Panache persist() is void — use doNothing + verify
    doNothing().when(userRepository).persist(any(User.class));

    User result = userService.create(dto);

    assertThat(result.name).isEqualTo("Alice");
    verify(userRepository).persist(any(User.class));
  }
}

Integration Tests

Test with real database (Testcontainers):

@QuarkusTest
@QuarkusTestResource(PostgresTestResource.class)
class UserRepositoryIntegrationTest {

  @Inject
  UserRepository userRepository;

  @Test
  @Transactional
  void findByEmail_existingUser_returnsUser() {
    User user = new User();
    user.name = "Alice";
    user.email = "alice@example.com";
    userRepository.persist(user);

    Optional<User> found = userRepository.findByEmail("alice@example.com");

    assertThat(found).isPresent();
    assertThat(found.get().name).isEqualTo("Alice");
  }
}

API Tests

Test REST endpoints with REST Assured:

@QuarkusTest
class UserResourceTest {

  @Test
  void createUser_validInput_returns201() {
    given()
        .contentType(ContentType.JSON)
        .body("""
            {"name": "Alice", "email": "alice@example.com"}
            """)
        .when().post("/api/users")
        .then()
        .statusCode(201)
        .body("name", equalTo("Alice"));
  }

  @Test
  void createUser_invalidEmail_returns400() {
    given()
        .contentType(ContentType.JSON)
        .body("""
            {"name": "Alice", "email": "invalid"}
            """)
        .when().post("/api/users")
        .then()
        .statusCode(400);
  }
}

Coverage Report

Check target/site/jacoco/index.html for detailed coverage:

  • Overall line coverage (target: 80%+)
  • Branch coverage (target: 70%+)
  • Identify uncovered critical paths

Phase 4: Security Scanning

Dependency Vulnerabilities (Maven)

mvn org.owasp:dependency-check-maven:check

Review target/dependency-check-report.html for CVEs.

Quarkus Security Audit

# Check vulnerable extensions
mvn quarkus:audit

# List all extensions
mvn quarkus:list-extensions

OWASP ZAP (API Security Testing)

docker run -t owasp/zap2docker-stable zap-api-scan.py \
  -t http://localhost:8080/q/openapi \
  -f openapi

Common Security Checks

  • All secrets in environment variables (not in code)
  • Input validation on all endpoints
  • Authentication/authorization configured
  • CORS properly configured
  • Security headers set
  • Passwords hashed with BCrypt
  • SQL injection protection (parameterized queries)
  • Rate limiting on public endpoints

Phase 5: Native Compilation

Test GraalVM native image compatibility:

# Build native executable
mvn package -Dnative

# Or with container
mvn package -Dnative -Dquarkus.native.container-build=true

# Test native executable
./target/*-runner

# Run basic smoke tests
curl http://localhost:8080/q/health/live
curl http://localhost:8080/q/health/ready

Native Image Troubleshooting

Common issues:

  • Reflection: Add reflection config for dynamic classes
  • Resources: Include resources with quarkus.native.resources.includes
  • JNI: Register JNI classes if using native libraries

Example reflection config:

@RegisterForReflection(targets = {MyDynamicClass.class})
public class ReflectionConfiguration {}

Phase 6: Performance Testing

Load Testing with K6

// load-test.js
import http from 'k6/http';
import { check } from 'k6';

export const options = {
  stages: [
    { duration: '30s', target: 50 },
    { duration: '1m', target: 100 },
    { duration: '30s', target: 0 },
  ],
};

export default function () {
  const res = http.get('http://localhost:8080/api/markets');
  check(res, {
    'status is 200': (r) => r.status === 200,
    'response time < 200ms': (r) => r.timings.duration < 200,
  });
}

Run:

k6 run load-test.js

Metrics to Monitor

  • Response time (p50, p95, p99)
  • Throughput (requests/sec)
  • Error rate
  • Memory usage
  • CPU usage

Phase 7: Health Checks

# Liveness
curl http://localhost:8080/q/health/live

# Readiness
curl http://localhost:8080/q/health/ready

# All health checks
curl http://localhost:8080/q/health

# Metrics (if enabled)
curl http://localhost:8080/q/metrics

Expected responses:

{
  "status": "UP",
  "checks": [
    {
      "name": "Database connection",
      "status": "UP"
    }
  ]
}

Phase 8: Container Image Build

# Build container image
mvn package -Dquarkus.container-image.build=true

# Or with specific registry
mvn package \
  -Dquarkus.container-image.build=true \
  -Dquarkus.container-image.registry=docker.io \
  -Dquarkus.container-image.group=myorg \
  -Dquarkus.container-image.tag=1.0.0

# Test container
docker run -p 8080:8080 myorg/my-quarkus-app:1.0.0

Container Security Scan

# Trivy
trivy image myorg/my-quarkus-app:1.0.0

# Grype
grype myorg/my-quarkus-app:1.0.0

Phase 9: Configuration Validation

# Check all configuration properties
mvn quarkus:info

# List all config sources
curl http://localhost:8080/q/dev/io.quarkus.quarkus-vertx-http/config

Environment-Specific Checks

  • Database URLs configured per environment
  • Secrets externalized (Vault, env vars)
  • Logging levels appropriate
  • CORS origins set correctly
  • Rate limiting configured
  • Monitoring/tracing enabled

Phase 10: Documentation Review

  • OpenAPI/Swagger docs up to date (/q/swagger-ui)
  • README has setup instructions
  • API changes documented
  • Migration guide for breaking changes
  • Configuration properties documented

Generate OpenAPI spec:

curl http://localhost:8080/q/openapi -o openapi.json

Verification Checklist

Code Quality

  • Build passes without warnings
  • Static analysis clean (no high/medium issues)
  • Code follows team conventions
  • No commented-out code or TODOs in PR

Testing

  • All tests pass
  • Code coverage ≥ 80%
  • Integration tests with real database
  • Security tests pass
  • Performance within acceptable limits

Security

  • No dependency vulnerabilities
  • Authentication/authorization tested
  • Input validation complete
  • Secrets not in source code
  • Security headers configured

Deployment

  • Native compilation successful
  • Container image builds
  • Health checks respond correctly
  • Configuration valid for target environment

Native Image

  • Native executable builds
  • Native tests pass
  • Startup time < 100ms
  • Memory footprint acceptable

Automated Verification Script

#!/bin/bash
set -e

echo "=== Phase 1: Build ==="
mvn clean verify -DskipTests

echo "=== Phase 2: Static Analysis ==="
mvn checkstyle:check pmd:check spotbugs:check

echo "=== Phase 3: Tests + Coverage ==="
mvn test jacoco:report jacoco:check

echo "=== Phase 4: Security Scan ==="
mvn org.owasp:dependency-check-maven:check

echo "=== Phase 5: Native Compilation ==="
mvn package -Dnative -Dquarkus.native.container-build=true

echo "=== All Phases Complete ==="
echo "Review reports:"
echo "  - Coverage: target/site/jacoco/index.html"
echo "  - Security: target/dependency-check-report.html"
echo "  - Native: target/*-runner"

CI/CD Integration

GitHub Actions Example

name: Verification

on: [push, pull_request]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Set up JDK 21
        uses: actions/setup-java@v3
        with:
          java-version: '21'
          distribution: 'temurin'
      
      - name: Cache Maven packages
        uses: actions/cache@v3
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
      
      - name: Build
        run: mvn clean verify -DskipTests
      
      - name: Test with Coverage
        run: mvn test jacoco:report jacoco:check
      
      - name: Security Scan
        run: mvn org.owasp:dependency-check-maven:check
      
      - name: Upload Coverage
        uses: codecov/codecov-action@v3
        with:
          files: target/site/jacoco/jacoco.xml

Best Practices

  • Run verification loop before every PR
  • Automate in CI/CD pipeline
  • Fix issues immediately; don't accumulate debt
  • Keep coverage above 80%
  • Update dependencies regularly
  • Test native compilation periodically
  • Monitor performance trends
  • Document breaking changes
  • Review security scan results
  • Validate configuration for each environment
Files1
1 files · 1.0 KB

Select a file to preview

Overall Score

82/100

Grade

B

Good

Safety

80

Quality

84

Clarity

86

Completeness

78

Summary

This skill guides AI agents through a comprehensive multi-phase verification loop for Quarkus projects, including build, static analysis, tests with coverage measurement, security scans, native compilation, and health checks. It provides concrete command examples, code samples, and checklists to validate code quality, security, and deployment readiness before PR submission or release.

Static Analysis Findings

1 finding

Patterns detected by deterministic static analysis before AI scoring. Hover over any finding code for detailed information and remediation guidance.

Network Access
SEC-060Outbound Network Request8x in 1 file

Outbound network request (curl/wget/fetch)

SKILL.mdcurl http://8x
50% confidenceCWE-918: Server-Side Request Forgery (SSRF)

Detected Capabilities

shell-executionmaven-build-commandsgradle-build-commandsdocker-image-operationsfile-readhttp-requestscurl-commandslogging-and-output

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

quarkus verificationpre-pull-request checkstest coverage validationnative compilationsecurity scanningbuild-test-verify loop

Risk Signals

INFO

curl http://localhost:8080 (multiple health check, metric, and OpenAPI endpoints)

SKILL.md | Phases 5, 7, 9, 10
INFO

SonarQube server connection with -Dsonar.login=${SONAR_TOKEN} environment variable reference

SKILL.md | Phase 2
INFO

Docker API security scanning (Trivy, Grype) for container images

SKILL.md | Phase 8
INFO

Dependency vulnerability scanning via OWASP ZAP and dependency-check

SKILL.md | Phases 4, 8

Referenced Domains

External domains referenced in skill content, detected by static analysis.

localhost

Use Cases

  • >before-opening-pull-requests
  • verify-dependency-vulnerabilities
  • validate-test-coverage-thresholds
  • compile-native-image-compatibility
  • run-full-verification-pipeline
  • perform-security-and-performance-testing

Quality Notes

  • Comprehensive multi-phase structure with clear progression from build through verification
  • Excellent use of concrete code examples (Java test patterns, Bash scripts, GitHub Actions YAML)
  • Well-organized checklist at end provides clear acceptance criteria for verification completion
  • Clear scope boundaries: limited to Quarkus/Maven/Gradle ecosystems; does not touch production deployment or credential management directly
  • Good error handling guidance: 'If build fails, stop and fix compilation errors'
  • Includes both Maven and Gradle alternatives, acknowledging different build systems
  • Test code examples cover unit, integration, and API testing with appropriate Quarkus annotations
  • Native image troubleshooting section addresses common GraalVM reflection and resource issues
  • GitHub Actions CI/CD example provides production-ready template
  • Phases are independent and can be run selectively, providing flexibility
Model: claude-haiku-4-5-20251001Analyzed: May 15, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add affaan-m/quarkus-verification to your library

Get Started Free

Command Palette

Search for a command to run...