code-quality-setup
โCleanUse when setting up or configuring code quality tools (formatters, linters, type checkers, dependency scanners) for a repository. Also use when adding visual accessibility automation or security baseline scanning. Do not use for general coding or when tools are already configured.
Install Command
npx skills add metyatech/skill-code-quality-setupSKILL.md
--- name: code-quality-setup description: Use when setting up or configuring code quality tools (formatters, linters, type checkers, dependency scanners) for a repository. Also use when adding visual accessibility automation or security baseline scanning. Do not use for general coding or when tools are already configured. --- # Code quality setup ## Per-language toolchain Use the standard toolchain for each language in the repository. ### JavaScript / TypeScript (incl. React/Next) - Format+lint: ESLint + Prettier. - When configuring Prettier, always add and maintain `.prettierignore` so generated/build outputs and composed files are not formatted/linted as source (e.g., `dist/`, build artifacts, and `AGENTS.md` when generated by compose-agentsmd). - Typecheck: `tsc` with strict settings for TS projects. - Dependency scan: `osv-scanner`. If unsupported, use the package manager's audit tooling. ### Python - Format+lint: Ruff. - Typecheck: Pyright. - Dependency scan: pip-audit. ### Go - Format: gofmt. - Lint/static analysis: golangci-lint (includes staticcheck). - Dependency scan: govulncheck. ### Rust - Format: cargo fmt. - Lint/static analysis: cargo clippy with warnings as errors. - Dependency scan: cargo audit. ### Java - Format: Spotless + google-java-format. - Lint/static analysis: Checkstyle + SpotBugs. - Dependency scan: OWASP Dependency-Check. ### Kotlin - Format: Spotless + ktlint. - Lint/static analysis: detekt. - Compiler: enable warnings-as-errors in CI; if impractical, get explicit user approval before relaxing. ### C\# - Format: dotnet format (verify-no-changes in CI). - Lint/static analysis: enable .NET analyzers; treat warnings as errors; enable nullable reference types. - Dependency scan: `dotnet list package --vulnerable`. ### C++ - Format: clang-format. - Lint/static analysis: clang-tidy. - Build: enable strong warnings and treat as errors; run sanitizers (ASan/UBSan) in CI where supported. ### PowerShell - Format+lint: PSScriptAnalyzer (Invoke-Formatter + Invoke-ScriptAnalyzer). - Runtime: Set-StrictMode -Version Latest; fail fast on errors. - Tests: Pester when tests exist. - Enforce PSScriptAnalyzer via the repo's standard `verify` command/script when PowerShell is used; treat findings as errors. ### Shell (sh/bash) - Format: shfmt. - Lint: shellcheck. ### Dockerfile - Lint: hadolint. ### Terraform - Format: terraform fmt -check. - Validate: terraform validate. - Lint: tflint. - Security scan: trivy config. ### YAML - Lint: yamllint. ### Markdown - Lint: markdownlint. ## Design and visual accessibility automation Apply this section to projects with web UI components only. - Enforce automated visual accessibility checks as part of the repo-standard `verify` command and CI. - Use route discovery (sitemap, generated route lists, or framework route manifests) so newly added pages are automatically included. - Validate both light and dark themes when theme switching is supported. - Validate at least default, hover, and focus states for interactive elements. - Enforce non-text boundary contrast checks across all visible UI elements that present boundaries (including interactive controls and container-like elements), not only predefined component classes. - Use broad DOM discovery with only minimal technical exclusions (hidden/zero-size/non-rendered nodes). - Fail CI on violations; do not silently ignore design regressions. - If temporary exclusions are unavoidable, keep them narrowly scoped, documented with rationale, and remove them promptly. ## Security baseline - Require dependency vulnerability scanning appropriate to the ecosystem (SCA) for merges. If unavailable, report the limitation and get explicit user approval. - Enable GitHub secret scanning and remediate findings; never commit secrets. If unavailable, add a repo-local secret scanner. - Enable CodeQL code scanning for supported languages. If unavailable, use the best alternative for that ecosystem.
Similar Skills
Perform security audits on code changes, diffs, or branches to find high-confidence exploitable vulnerabilities. Use when asked to "audit security", "review for vulnerabilities", "security scan", "check for security issues", "audit this PR", "review these changes for security", or "find vulnerabilities in diff". Distinct from security-review (which provides secure coding patterns/checklists) รขยย this skill actively audits code changes using a structured methodology with false positive filtering. Includes Python scripts for GitHub Action CI integration and PR evaluation.
npx skills add LeonMelamud/claude-code-security-reviewAnalyze, plan, review, and optimize any codebase across 4 modes: Discovery (understand architecture and risks), Review (validate changes and detect breaking changes), Optimization (find bottlenecks and vulnerabilities), Implementation Planning (generate step-by-step guidance). Works with React, Django, Rails, Go, Rust, and 30+ frameworks. Use when analyzing codebase structure, assessing feature safety, finding security issues, planning implementations, or discovering performance problems.
npx skills add baagad-ai/code-surgeonUse when designing, building, or reviewing a command-line interface (CLI) tool. Provides a checklist of standard CLI conventions. Do not use for non-CLI applications.
npx skills add metyatech/skill-cli-design