Sonarqube on Daffa Abhipraya

PPL: Quality as a Feedback Loop [Sprint 2, Week 3]

Wed, 15 Apr 2026 00:00:00 +0700

What I Worked On

Two weeks of quality infrastructure: wiring in the tools that measure test quality (week 1), then shortening the feedback loop so that signal actually influences the code being written (week 2). Starting state: 91% line coverage, no mutation testing, integration test coverage missing from SonarQube. Ending state: combined unit + integration coverage in SonarQube, mutmut + Stryker running per-MR with results in the CI comment, API mutation score 80.3%.

PPL: Quality Gates That Actually Block Bad Code

Thu, 09 Apr 2026 00:00:00 +0700

Quality tools are useless if they are not enforced. Our project had SonarQube analyzing every commit, schema fuzzing running against our API, and load tests measuring latency, but every single one of them was set to allow_failure: true. Violations were silently ignored, real bugs slipped through, and nobody noticed because the pipeline was always green. This blog covers how we turned those advisory checks into blocking gates, built automated CI reporting so reviewers could actually see the results, and watched the tools catch a JWT vulnerability, a production crash, and 31 code quality violations that had been accumulating for weeks.

PPL: Code Quality [Sprint 2, Week 2]

Mon, 30 Mar 2026 00:00:00 +0700

What I Worked On

This week I overhauled the CI quality feedback loop with four related MRs. Before this week, quality checks existed but results had to be hunted down manually in GitLab’s CI panel. After this week, every MR automatically receives quality reports as inline comments, and the SonarQube gate blocks merges that would lower the quality standard.

SonarQube Quality Gate in MR Comments

MR !132 (SIRA-231) added a sonar-scan post-processing step that fetches the quality gate result from SonarQube and posts it directly as an MR comment via the GitLab API.

PPL: Fixing a JWT Vulnerability [Sprint 2, Week 1]

Mon, 23 Mar 2026 00:00:00 +0700

What I Worked On

This week I addressed a critical security vulnerability flagged by SonarQube and hardened the CI pipeline so security issues block merges instead of being silently reported.

The JWT Vulnerability (SonarQube S5659)

SonarQube flagged dependencies.py:34 as a CRITICAL vulnerability: jwt.get_unverified_header() reads the JWT header without verifying the signature. This enables the alg:none attack, where an attacker crafts a token with "alg": "none" in the header, causing the library to skip signature verification entirely.

PPL: From 31 Violations to Zero [Sprint 2, Week 1]

Mon, 23 Mar 2026 00:00:00 +0700

What I Worked On

This week I enforced strict quality gates across the entire CI pipeline. The project previously had allow_failure: true on SonarQube and security scans, meaning violations were reported but never blocked merges. I changed that.

SonarQube: 31 Violations → 0

The Violations

SonarQube flagged 31 issues across the codebase:

1 CRITICAL vulnerability: jwt.get_unverified_header() reading JWT headers without signature verification
3 CRITICAL code smells: duplicated string literals, nested component definitions
27 other issues: unused variables, missing Readonly<> on props, duplicate CSS blocks, array index keys

The Fixes

Backend (3 files): Refactored JWT decode to try HS256 first and fall back to asymmetric on DecodeError, eliminating the unverified header call entirely. Extracted duplicated literals to constants.

PPL: Ticket Quality as Code Review [Sprint 2, Week 1]

Mon, 23 Mar 2026 00:00:00 +0700

What I Worked On

This week’s review work had two dimensions: reviewing the ticket board for sync issues (a form of “code review” for project management), and letting SonarQube quality gates act as automated code review for the monitoring MR.

Ticket Board Audit

After creating 64 new tickets, I audited all 150+ active tickets (Backlog, Todo, In Progress, In Review) for contradictions and stale data. This is essentially code review applied to project planning.

PPL: When 91% Test Coverage Means Nothing

Sun, 15 Mar 2026 00:00:00 +0700

We had 91% line coverage and felt good about it. Then we ran mutation testing and scored 0%. Every line of our service layer was executed by tests; almost nothing was actually verified. This is the story of how six advanced testing tools exposed the gap between “code was run” and “code was checked,” and what that means for any team relying on coverage as a quality signal.

Note: Our project is hosted on an internal GitLab instance, so we use the term MR (Merge Request) throughout this blog. If you’re coming from GitHub, MRs are the equivalent of Pull Requests (PRs).

PPL: Code Quality [Sprint 1, Week 3]

Fri, 13 Mar 2026 00:00:00 +0700

What I Worked On

This week I extended the CI quality pipeline with two significant additions: a migration dry-run validation job that catches invalid SQL before merge (MR !67), and ongoing enforcement of zero SonarQube issues across the codebase. The pre-commit hook stack also proved its value by catching issues during the heavy development push of 14 MRs.

New CI Job: Migration Dry-Run Validation

The most impactful quality improvement this week was adding migrate:check to the CI pipeline (MR !67, SIRA-98). This job runs supabase db push --dry-run on every MR pipeline, validating that migration files are syntactically correct and compatible with the remote database before the MR can be merged.

PPL: Static Analysis in SIRA [Sprint 1, Week 2]

Wed, 04 Mar 2026 00:00:00 +0700

The Tool Stack

Layer	Tool	Scope
Frontend lint + format	Biome	TypeScript/TSX, 40+ enforced rules
Frontend dead code	Knip	Unused exports, imports, dependencies
Frontend types	`tsc --noEmit`	TypeScript type checking
Backend lint + format	Ruff	Python, F401/F841 + style rules
Backend types	mypy	Python static types, strict mode
CI quality gate	SonarQube	Coverage, code smells, security hotspots

Pre-commit Hooks (Husky)

Five checks run sequentially on every git commit. A failure at any step blocks the commit:

Sonarqube on Daffa Abhipraya

PPL: Quality as a Feedback Loop [Sprint 2, Week 3]

# What I Worked On

PPL: Quality Gates That Actually Block Bad Code

PPL: Code Quality [Sprint 2, Week 2]

# What I Worked On

# SonarQube Quality Gate in MR Comments

PPL: Fixing a JWT Vulnerability [Sprint 2, Week 1]

# What I Worked On

# The JWT Vulnerability (SonarQube S5659)

PPL: From 31 Violations to Zero [Sprint 2, Week 1]

# What I Worked On

# SonarQube: 31 Violations → 0

# The Violations

# The Fixes

PPL: Ticket Quality as Code Review [Sprint 2, Week 1]

# What I Worked On

# Ticket Board Audit

PPL: When 91% Test Coverage Means Nothing

PPL: Code Quality [Sprint 1, Week 3]

# What I Worked On

# New CI Job: Migration Dry-Run Validation

PPL: Static Analysis in SIRA [Sprint 1, Week 2]

# The Tool Stack

# Pre-commit Hooks (Husky)

What I Worked On

What I Worked On

SonarQube Quality Gate in MR Comments

What I Worked On

The JWT Vulnerability (SonarQube S5659)

What I Worked On

SonarQube: 31 Violations → 0

The Violations

The Fixes

What I Worked On

Ticket Board Audit

What I Worked On

New CI Job: Migration Dry-Run Validation

The Tool Stack

Pre-commit Hooks (Husky)