Cloud Providers

Cloud providers connect SnakeFlow’s Quality Hub to external services (SonarCloud, Snyk, GitHub Code Scanning, and others). They are aimed at teams that already run analysis in CI or on a SaaS dashboard and want those signals next to local checks in the sidebar.

How cloud checks fit in Quality Hub

1. You select a SnakeFlow project (workspace folder) as usual.
2. For each provider you care about, you set devManager.quality.<id>.enabled to true and fill in the required tokens or IDs (see each section below).
3. You run checks from the Quality Hub view (Run / Refresh) or via the command palette (SnakeFlow: Run Quality Checks / shortcut Ctrl+Alt+F if configured).
4. Enabled providers run in parallel with built-in and CLI checks. Each cloud call uses a short HTTP timeout (about 15 seconds) for the API request.
5. Results stream into the tree as each provider finishes. You can expand rows for details, open the URL in a browser, or use Send to Chat for the aggregated report.

What cloud checks do not do

Not a live scan of your unsaved editor buffer

Cloud providers do not upload your local workspace to the vendor for a full fresh analysis when you click Run. Almost every integration performs one API request that returns metrics or issues already stored on the service (from your last CI run, last import, or last indexed state). Uncommitted or unpushed changes are usually invisible to these APIs until your pipeline (or the vendor’s integration) has processed them.

Exception (still not “local disk”): CodeQL in SnakeFlow reads GitHub Code Scanning alerts for the remote repo, not a local CodeQL CLI run.

At least one successful CI / upload

If the service has never received coverage or analysis data for the repo, SnakeFlow may show warn, skip, or “no data” style messages depending on the provider.

Enabling and configuring (common pattern)

1. Open Settings and search for devManager.quality or the provider name (e.g. sonarcloud).
2. Set devManager.quality.<id>.enabled to true.
3. Fill required fields for that provider (each section lists them). Optional fields tune behavior (thresholds, filters, prompts).
4. Ensure the same repository is wired in the vendor’s UI (Sonar project, Snyk org project, Codecov repo, etc.) and that CI or the vendor’s GitHub app has produced data.

Security: store tokens in User settings if they are personal, or Workspace settings if the whole team shares a project token (be careful committing .vscode/settings.json to git).

---

SonarCloud (sonarcloud)

Purpose: Surface SonarCloud (or self-hosted SonarQube via serverUrl) quality gate and headline metrics: bugs, vulnerabilities, code smells, coverage %, duplication %, security hotspots.

Prerequisites: SonarCloud project with analyses already run (typically from CI). You need a user token and the project key from Sonar.

Settings

Setting	Required	Description
devManager.quality.sonarcloud.enabled	Yes	Turn the provider on.
devManager.quality.sonarcloud.token	Yes	API token (SonarCloud: My Account → Security).
devManager.quality.sonarcloud.projectKey	Yes	Project key from Sonar project info.
devManager.quality.sonarcloud.serverUrl	No	Default https://sonarcloud.io. Point to your SonarQube server if not using SonarCloud.

What happens when you run the check

1. SnakeFlow verifies token and projectKey are set; otherwise the result is not configured.
2. It sends an authenticated GET request to the Sonar Web API endpoint api/measures/component with metric keys: alert_status, bugs, vulnerabilities, code_smells, coverage, security_hotspots, duplicated_lines_density.
3. It maps Quality Gate alert_status to pass / warn / fail (OK → pass, WARN → warn, otherwise fail).
4. It builds a one-line summary (gate + counts + optional coverage and duplication). If hotspots > 0, a short details line is added.
5. It sets Open in browser to your Sonar dashboard for that project.

Official docs: SonarQube Cloud Web API

---

Snyk (snyk)

Purpose: Summarize open issues in a Snyk organization (dependency and code findings Snyk already knows about), grouped by effective severity.

Prerequisites: Snyk org with projects monitored or scanned; REST API token and Organization ID.

Settings

Setting	Required	Description
devManager.quality.snyk.enabled	Yes	Enable the provider.
devManager.quality.snyk.token	Yes	Personal API token from Snyk account settings.
devManager.quality.snyk.orgId	Yes	Organization ID (Org settings in Snyk UI).
devManager.quality.snyk.baseUrl	No	Default https://api.snyk.io; use EU/AU endpoints if your org is regional.

What happens when you run the check

1. SnakeFlow checks token and orgId; otherwise not configured.
2. It calls Snyk REST API GET /rest/orgs/{orgId}/issues (paginated limit 1000, non-ignored issues).
3. It counts issues by severity (critical, high, medium, low).
4. Status: any critical → fail; any high (and no critical) → warn; otherwise pass.
5. Summary lists counts by severity or “No vulnerabilities”. Link opens your Snyk org in the browser.

Note: This does not start a new snyk test or monitor job; it only reads the current issue list from the API.

Official docs: Snyk REST API

---

Codecov (codecov)

Purpose: Show overall test coverage % for a repository as Codecov last reported it, and compare against a threshold you configure.

Prerequisites: Codecov account linked to the repo; CI uploads coverage (e.g. codecov action or CLI).

Settings

Setting	Required	Description
devManager.quality.codecov.enabled	Yes	Enable the provider.
devManager.quality.codecov.token	Yes	Codecov token (repo upload / API access per Codecov docs).
devManager.quality.codecov.owner	Yes	GitHub/GitLab/Bitbucket owner or org.
devManager.quality.codecov.repo	Yes	Repository name.
devManager.quality.codecov.service	No	github (default), gitlab, or bitbucket.
devManager.quality.codecov.threshold	No	Default 80 (%). Below threshold → fail; between 90% and 100% of threshold → warn; at or above → pass.

What happens when you run the check

1. SnakeFlow validates required fields.
2. It GETs Codecov API v2: /{service}/{owner}/repos/{repo}/.
3. If totals.coverage is missing → warn, summary like “No coverage data yet”.
4. Otherwise it compares coverage % to threshold and sets pass / warn / fail and a numeric score (rounded percent).

Official docs: Codecov API — repo

---

Coveralls (coveralls)

Purpose: Read published coverage % for a GitHub-mirrored repo from Coveralls’ public JSON badge endpoint (same number you often see on README badges).

Prerequisites: Repo tracked on Coveralls under github/{owner}/{repo}; CI has posted coverage at least once.

Settings

Setting	Required	Description
devManager.quality.coveralls.enabled	Yes	Enable the provider.
devManager.quality.coveralls.owner	Yes	GitHub user or org.
devManager.quality.coveralls.repo	Yes	Repository name.
devManager.quality.coveralls.threshold	No	Default 80. Same pass / warn / fail band logic as Codecov (relative to threshold).

What happens when you run the check

1. SnakeFlow GETs https://coveralls.io/github/{owner}/{repo}.json with Accept: application/json.
2. If covered_percent is missing → warn (“No coverage data”).
3. Otherwise it applies the threshold band and sets score to the rounded percent.

Note: The extension URL path is GitHub-specific (/github/). For private repos, Coveralls may require authentication; the implementation can send Authorization: token … if you add a token key manually in settings.json where supported—prefer fixing visibility via Coveralls docs for your setup.

Official docs: Coveralls API introduction

---

Codacy (codacy)

Purpose: Show Codacy repository grade (e.g. A–F) and total issue count from Codacy’s analysis for a repo.

Prerequisites: Repository analyzed in Codacy; API token, org, repo names as in Codacy URLs.

Settings

Setting	Required	Description
devManager.quality.codacy.enabled	Yes	Enable the provider.
devManager.quality.codacy.token	Yes	Account API token (api-token header).
devManager.quality.codacy.org	Yes	Organization name in Codacy.
devManager.quality.codacy.repo	Yes	Repository name.
devManager.quality.codacy.provider	No	gh (default), gl, or bb for GitHub / GitLab / Bitbucket.

What happens when you run the check

1. SnakeFlow GETs Codacy API v3: /analysis/organizations/{provider}/{org}/repositories/{repo}.
2. It reads grade and totalIssues, maps grade to pass / warn / fail (A/B pass; C/D warn; E/F fail).
3. Link opens the Codacy dashboard for that repo.

Official docs: Codacy API

---

DeepSource (deepsource)

Purpose: Summarize issues on the default branch in DeepSource: bugs, security, anti-patterns, performance counts from the latest run status, plus optional metrics in the GraphQL payload.

Prerequisites: Repo activated in DeepSource; personal access token; login (GitHub org or user as known to DeepSource) and repo short name.

Settings

Setting	Required	Description
devManager.quality.deepsource.enabled	Yes	Enable the provider.
devManager.quality.deepsource.token	Yes	Personal access token.
devManager.quality.deepsource.login	Yes	Account / org login slug in DeepSource.
devManager.quality.deepsource.repo	Yes	Repository name.
devManager.quality.deepsource.provider	No	gh / gl / bb (or aliases github / gitlab / bitbucket for URL mapping).

What happens when you run the check

1. SnakeFlow sends a GraphQL POST to https://api.deepsource.com/graphql/ with a query for repository(login, name) including defaultBranch.runStatus (occurrences introduced + distribution by category).
2. If GraphQL returns errors → error result with message.
3. If repository is null → warn (not found / not activated).
4. It aggregates counts for BUG, SECURITY, ANTIPATTERN, PERFORMANCE; sets fail if security > 0 or bugs > 5, else warn if any introduced issues, else pass.
5. Deep link uses mapped host prefix (gh, gl, bb) for the app URL.

Official docs: DeepSource API

---

Qlty (qlty)

Purpose: Read Qlty project metrics (maintainability, security, reliability categories) from the Qlty HTTP API.

Prerequisites: Qlty project; token; owner and project identifiers as in Qlty URLs.

Settings

Setting	Required	Description
devManager.quality.qlty.enabled	Yes	Enable the provider.
devManager.quality.qlty.token	Yes	Bearer token.
devManager.quality.qlty.owner	Yes	GitHub user or org (Qlty path segment gh/{owner}).
devManager.quality.qlty.project	Yes	Project key / slug in Qlty.

What happens when you run the check

1. SnakeFlow GETs https://qlty.sh/api/v1/gh/{owner}/projects/{project}/metrics.
2. It finds metric entries whose category is maintainability, security, and reliability.
3. Status is derived from the maintainability grade string (supports letters such as A, B, XS, S, M, L, XL per built-in mapping).
4. Link opens the Qlty project page.

Official docs: Qlty API overview

---

CodeQL (GitHub Code Scanning) (codeql)

Purpose: In SnakeFlow this provider is implemented as GitHub Code Scanning alerts filtered by tool name (default CodeQL). It lists open (or configured state) alerts with severities and file locations from GitHub’s API.

Prerequisites: Repository on GitHub; VS Code GitHub authentication with repo and security_events; Code scanning enabled and results uploaded (typically GitHub Actions CodeQL workflow). Private repos may need GitHub Advanced Security.

Settings

Setting	Required	Description
devManager.quality.codeql.enabled	Yes	Default true in extension manifest—turn off to skip.
devManager.quality.codeql.owner	No	Auto from git remote when empty.
devManager.quality.codeql.repo	No	Auto from git remote when empty.
devManager.quality.codeql.state	No	open (default), dismissed, or fixed.
devManager.quality.codeql.tool	No	Default CodeQL. Set to empty string in settings UI only if your tooling supports it—to include all code scanning tools.

What happens when you run the check

1. SnakeFlow always considers the provider “configured”; it then tries to obtain a GitHub session. Missing auth → skip with sign-in instructions.
2. It resolves owner/repo from git remote or manual settings; missing → skip.
3. It GETs https://api.github.com/repos/{owner}/{repo}/code-scanning/alerts with state and optional tool_name.
4. Empty list → pass. Otherwise counts critical / high / medium (using security_severity_level and severity); fail if critical or high; warn if medium; else pass. Up to 15 alerts summarized in details.
5. On 403/404, returns skip with a note about public vs Advanced Security.

Official docs: GitHub Code Scanning REST API

---

Aikido Security (aikido)

Purpose: List open issue groups from Aikido (aggregated security / supply-chain style findings) and optionally narrow them to the repo inferred from git remote.

Prerequisites: Aikido account; API token; repos connected in Aikido.

Settings

Setting	Required	Description
devManager.quality.aikido.enabled	Yes	Enable the provider.
devManager.quality.aikido.token	Yes	API token.
devManager.quality.aikido.repoName	No	Filter hint; auto from git remote when empty.

What happens when you run the check

1. SnakeFlow GETs https://app.aikido.dev/api/v2/open_issue_groups?per_page=1000.
2. If git remote yields owner/repo, it tries to filter issue groups whose affected_repositories match that repo name. If the filter would drop everything, it falls back to all issues (so you still see org-level signal).
3. Severity buckets drive pass / warn / fail (critical/high → fail; medium → warn). Top issues listed in details.

Official docs: Aikido API

---

Socket.dev (socket)

Purpose: Supply chain security analysis for npm dependencies — detects malicious packages, install scripts, telemetry, typosquatting, and other suspicious behavior. Complements CVE-focused scanners (Snyk, Trivy) which only flag known vulnerabilities.

Prerequisites: Socket.dev account; API token; project with package.json (npm/Yarn/pnpm).

Settings

Setting	Required	Description
devManager.quality.socket.enabled	Yes	Enable the provider.
devManager.quality.socket.token	Yes	API token from Org Settings → API Tokens.
devManager.quality.socket.thresholdCritical	No	Default 0. Above the threshold → fail.
devManager.quality.socket.thresholdHigh	No	Default 5. Above the threshold (no critical) → warn.

What happens when you run the check

1. SnakeFlow checks the token; otherwise not configured.
2. Reads package.json from the project root. Missing → skip (Socket.dev currently supports npm projects only).
3. Collects direct + dev dependencies (up to 200 packages) and builds a list of PURLs (pkg:npm/<name>@<version>). Non-registry specifiers (git:, file:, link:, workspace:) are skipped.
4. Sends POST https://api.socket.dev/v0/purl?actions=score,alerts with HTTP Basic auth (token:) and JSON body { components: [{ purl }] }.
5. Aggregates alerts by severity (critical, high, middle, low) and computes the average supplyChain score.
6. Status: critical > thresholdCritical → fail; high > thresholdHigh → warn; otherwise pass.
7. Summary lists the number of flagged packages and the severity breakdown. Details show the top 15 packages with alerts.

Note: The provider does not trigger a separate report via POST /report/upload; it makes a single bulk call to POST /v0/purl against direct dependencies only. For full supply chain reporting (including transitive deps), use the Socket CLI or GitHub App.

Official docs: Socket Public API

---

All cloud providers at a glance

SnakeFlow currently ships ten cloud integrations (see src/quality/initProviders.ts). Each is optional and off by default except CodeQL (uses IDE GitHub auth).

ID	What SnakeFlow reads	Typical “freshness”
sonarcloud	Quality gate + metric snapshot	Last Sonar analysis
snyk	Org issue list (REST)	Last Snyk import / scan
codecov	Repo coverage total	Last CI upload to Codecov
coveralls	Badge JSON coverage %	Last CI upload to Coveralls
codacy	Grade + total issues	Last Codacy analysis
deepsource	Default branch run status (GraphQL)	Last DeepSource run
qlty	Project metrics JSON	Last Qlty computation
codeql	GitHub code-scanning alerts	Last workflow upload to GitHub
aikido	Open issue groups	Aikido platform state
socket	Supply-chain alerts on npm deps (PURL bulk)	Live Socket.dev state

---

Related pages

• Quality Hub overview — run flow, timeouts, skip dirs, chat report
• Built-in checks — local heuristics and project health
• CLI tools — Semgrep, Trivy, etc. (true local scans)
• Custom checks — wire your own scripts