SkillRepo
Sign InSign Up
Catalog
affaan-m/springboot-verification

affaan-m

springboot-verification

Verification loop for Spring Boot projects: build, static analysis, tests with coverage, security scans, and diff review before release or PR.

global
New~1.4k
v1.1Saved May 11, 2026

Spring Boot Verification Loop

Run before PRs, after major changes, and pre-deploy.

When to Activate

  • Before opening a pull request for a Spring Boot service
  • After major refactoring or dependency upgrades
  • Pre-deployment verification for staging or production
  • Running full build → lint → test → security scan pipeline
  • Validating test coverage meets thresholds

Phase 1: Build

mvn -T 4 clean verify -DskipTests
# or
./gradlew clean assemble -x test

If build fails, stop and fix.

Phase 2: Static Analysis

Maven (common plugins):

mvn -T 4 spotbugs:check pmd:check checkstyle:check

Gradle (if configured):

./gradlew checkstyleMain pmdMain spotbugsMain

Phase 3: Tests + Coverage

mvn -T 4 test
mvn jacoco:report   # verify 80%+ coverage
# or
./gradlew test jacocoTestReport

Report:

  • Total tests, passed/failed
  • Coverage % (lines/branches)

Unit Tests

Test service logic in isolation with mocked dependencies:

@ExtendWith(MockitoExtension.class)
class UserServiceTest {

  @Mock private UserRepository userRepository;
  @InjectMocks private UserService userService;

  @Test
  void createUser_validInput_returnsUser() {
    var dto = new CreateUserDto("Alice", "alice@example.com");
    var expected = new User(1L, "Alice", "alice@example.com");
    when(userRepository.save(any(User.class))).thenReturn(expected);

    var result = userService.create(dto);

    assertThat(result.name()).isEqualTo("Alice");
    verify(userRepository).save(any(User.class));
  }

  @Test
  void createUser_duplicateEmail_throwsException() {
    var dto = new CreateUserDto("Alice", "existing@example.com");
    when(userRepository.existsByEmail(dto.email())).thenReturn(true);

    assertThatThrownBy(() -> userService.create(dto))
        .isInstanceOf(DuplicateEmailException.class);
  }
}

Integration Tests with Testcontainers

Test against a real database instead of H2:

@SpringBootTest
@Testcontainers
class UserRepositoryIntegrationTest {

  @Container
  static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:16-alpine")
      .withDatabaseName("testdb");

  @DynamicPropertySource
  static void configureProperties(DynamicPropertyRegistry registry) {
    registry.add("spring.datasource.url", postgres::getJdbcUrl);
    registry.add("spring.datasource.username", postgres::getUsername);
    registry.add("spring.datasource.password", postgres::getPassword);
  }

  @Autowired private UserRepository userRepository;

  @Test
  void findByEmail_existingUser_returnsUser() {
    userRepository.save(new User("Alice", "alice@example.com"));

    var found = userRepository.findByEmail("alice@example.com");

    assertThat(found).isPresent();
    assertThat(found.get().getName()).isEqualTo("Alice");
  }
}

API Tests with MockMvc

Test controller layer with full Spring context:

@WebMvcTest(UserController.class)
class UserControllerTest {

  @Autowired private MockMvc mockMvc;
  @MockBean private UserService userService;

  @Test
  void createUser_validInput_returns201() throws Exception {
    var user = new UserDto(1L, "Alice", "alice@example.com");
    when(userService.create(any())).thenReturn(user);

    mockMvc.perform(post("/api/users")
            .contentType(MediaType.APPLICATION_JSON)
            .content("""
                {"name": "Alice", "email": "alice@example.com"}
                """))
        .andExpect(status().isCreated())
        .andExpect(jsonPath("$.name").value("Alice"));
  }

  @Test
  void createUser_invalidEmail_returns400() throws Exception {
    mockMvc.perform(post("/api/users")
            .contentType(MediaType.APPLICATION_JSON)
            .content("""
                {"name": "Alice", "email": "not-an-email"}
                """))
        .andExpect(status().isBadRequest());
  }
}

Phase 4: Security Scan

# Dependency CVEs
mvn org.owasp:dependency-check-maven:check
# or
./gradlew dependencyCheckAnalyze

# Secrets in source
grep -rn "password\s*=\s*\"" src/ --include="*.java" --include="*.yml" --include="*.properties"
grep -rn "sk-\|api_key\|secret" src/ --include="*.java" --include="*.yml"

# Secrets (git history)
git secrets --scan  # if configured

Common Security Findings

# Check for System.out.println (use logger instead)
grep -rn "System\.out\.print" src/main/ --include="*.java"

# Check for raw exception messages in responses
grep -rn "e\.getMessage()" src/main/ --include="*.java"

# Check for wildcard CORS
grep -rn "allowedOrigins.*\*" src/main/ --include="*.java"

Phase 5: Lint/Format (optional gate)

mvn spotless:apply   # if using Spotless plugin
./gradlew spotlessApply

Phase 6: Diff Review

git diff --stat
git diff

Checklist:

  • No debugging logs left (System.out, log.debug without guards)
  • Meaningful errors and HTTP statuses
  • Transactions and validation present where needed
  • Config changes documented

Output Template

VERIFICATION REPORT
===================
Build:     [PASS/FAIL]
Static:    [PASS/FAIL] (spotbugs/pmd/checkstyle)
Tests:     [PASS/FAIL] (X/Y passed, Z% coverage)
Security:  [PASS/FAIL] (CVE findings: N)
Diff:      [X files changed]

Overall:   [READY / NOT READY]

Issues to Fix:
1. ...
2. ...

Continuous Mode

  • Re-run phases on significant changes or every 30–60 minutes in long sessions
  • Keep a short loop: mvn -T 4 test + spotbugs for quick feedback

Remember: Fast feedback beats late surprises. Keep the gate strict—treat warnings as defects in production systems.

Files1
1 files · 1.0 KB

Select a file to preview

Overall Score

82/100

Grade

B

Good

Safety

80

Quality

85

Clarity

82

Completeness

78

Summary

This skill provides a structured six-phase verification loop for Spring Boot projects covering build, static analysis, testing with coverage, security scanning, linting, and diff review. It guides agents through a comprehensive pre-PR and pre-deployment checklist with practical Maven/Gradle commands, example unit/integration/API tests, and security scanning patterns (CVE checks, secrets detection).

Detected Capabilities

maven build executiongradle build executionshell command execution (grep, git diff)static analysis plugin invocation (spotbugs, pmd, checkstyle)test execution with coverage reporting (jacoco)dependency vulnerability scanning (OWASP dependency-check)secrets detection via grep patternsgit history inspection

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

verify before pull requestspring boot build validationtest coverage checksecurity scan javapre-deployment verificationdependency cve scanintegration test setupmaven gradle pipeline

Risk Signals

INFO

Grep-based secrets detection using hardcoded patterns (password=, sk-, api_key, secret)

Phase 4: Security Scan section
INFO

System.out.println detection and analysis of raw exception messages in responses

Phase 4: Common Security Findings subsection
INFO

git secrets --scan conditional execution (if configured)

Phase 4: Secrets section
INFO

Maven/Gradle plugin execution with verify and test goals

Phase 1-3: Build, Analysis, Tests sections

Use Cases

  • Before opening a pull request to ensure code quality and test coverage standards are met
  • Pre-deployment verification for staging or production environments to catch regressions and security issues
  • Post-refactoring validation to confirm that major changes maintain test coverage and code quality thresholds
  • Dependency upgrade verification to identify new CVEs and ensure no breaking changes
  • CI/CD pipeline integration to run automated verification gates before merging

Quality Notes

  • Well-structured six-phase pipeline with clear progression and decision gates (build → static → test → security → lint → review)
  • Practical, production-ready commands for both Maven and Gradle ecosystems with parallel execution flags (-T 4)
  • Comprehensive test examples covering unit tests (Mockito), integration tests (Testcontainers), and API tests (MockMvc) with clear patterns
  • Security scanning includes both dependency CVE checks and source-level secrets detection with reasonable pattern matching
  • Output template provided to structure results and make pass/fail status clear at a glance
  • Continuous mode guidance for fast feedback loops during development
  • Grep patterns for common anti-patterns (System.out.println, raw exceptions, wildcard CORS) are practical and well-chosen
  • Coverage threshold (80%+) explicitly mentioned but not enforced programmatically — guidance relies on agent interpretation
Model: claude-haiku-4-5-20251001Analyzed: May 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Version History

v1.1

Content updated

2026-04-20

Latest
v1.0

Seeded from github.com/affaan-m/everything-claude-code

2026-03-16

Add affaan-m/springboot-verification to your library

Get Started Free

Command Palette

Search for a command to run...