quarkus-verification

Skill ECC View source on GitHub

Verification loop for Quarkus projects: build, static analysis, tests with coverage, security scans, native compilation, and diff review before release or PR.

Quarkus Verification Loop

Run before PRs, after major changes, and pre-deploy.

When to Activate

Before opening a pull request for a Quarkus service
After major refactoring or dependency upgrades
Pre-deployment verification for staging or production
Running full build → lint → test → security scan → native compilation pipeline
Validating test coverage meets thresholds (80%+)
Testing native image compatibility

Phase 1: Build

# Maven
mvn clean verify -DskipTests

# Gradle
./gradlew clean assemble -x test

If build fails, stop and fix compilation errors.

Phase 2: Static Analysis

Checkstyle, PMD, SpotBugs (Maven)

mvn checkstyle:check pmd:check spotbugs:check

SonarQube (if configured)

mvn sonar:sonar \
  -Dsonar.projectKey=my-quarkus-project \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=${SONAR_TOKEN}

Common Issues to Address

Unused imports or variables
Complex methods (high cyclomatic complexity)
Potential null pointer dereferences
Security issues flagged by SpotBugs

Phase 3: Tests + Coverage

# Run all tests
mvn clean test

# Generate coverage report
mvn jacoco:report

# Enforce coverage threshold (80%)
mvn jacoco:check

# Or with Gradle
./gradlew test jacocoTestReport jacocoTestCoverageVerification

Test Categories

Unit Tests

Test service logic with mocked dependencies:

@ExtendWith(MockitoExtension.class)
class UserServiceTest {
  @Mock UserRepository userRepository;
  @InjectMocks UserService userService;

  @Test
  void createUser_validInput_returnsUser() {
    var dto = new CreateUserDto("Alice", "alice@example.com");

    // Panache persist() is void — use doNothing + verify
    doNothing().when(userRepository).persist(any(User.class));

    User result = userService.create(dto);

    assertThat(result.name).isEqualTo("Alice");
    verify(userRepository).persist(any(User.class));
  }
}

Integration Tests

Test with real database (Testcontainers):

@QuarkusTest
@QuarkusTestResource(PostgresTestResource.class)
class UserRepositoryIntegrationTest {

  @Inject
  UserRepository userRepository;

  @Test
  @Transactional
  void findByEmail_existingUser_returnsUser() {
    User user = new User();
    user.name = "Alice";
    user.email = "alice@example.com";
    userRepository.persist(user);

    Optional<User> found = userRepository.findByEmail("alice@example.com");

    assertThat(found).isPresent();
    assertThat(found.get().name).isEqualTo("Alice");
  }
}

API Tests

Test REST endpoints with REST Assured:

@QuarkusTest
class UserResourceTest {

  @Test
  void createUser_validInput_returns201() {
    given()
        .contentType(ContentType.JSON)
        .body("""
            {"name": "Alice", "email": "alice@example.com"}
            """)
        .when().post("/api/users")
        .then()
        .statusCode(201)
        .body("name", equalTo("Alice"));
  }

  @Test
  void createUser_invalidEmail_returns400() {
    given()
        .contentType(ContentType.JSON)
        .body("""
            {"name": "Alice", "email": "invalid"}
            """)
        .when().post("/api/users")
        .then()
        .statusCode(400);
  }
}

Coverage Report

Check target/site/jacoco/index.html for detailed coverage:

Overall line coverage (target: 80%+)
Branch coverage (target: 70%+)
Identify uncovered critical paths

Phase 4: Security Scanning

Dependency Vulnerabilities (Maven)

mvn org.owasp:dependency-check-maven:check

Review target/dependency-check-report.html for CVEs.

Quarkus Security Audit

# Check vulnerable extensions
mvn quarkus:audit

# List all extensions
mvn quarkus:list-extensions

OWASP ZAP (API Security Testing)

docker run -t owasp/zap2docker-stable zap-api-scan.py \
  -t http://localhost:8080/q/openapi \
  -f openapi

Common Security Checks

All secrets in environment variables (not in code)
Input validation on all endpoints
Authentication/authorization configured
CORS properly configured
Security headers set
Passwords hashed with BCrypt
SQL injection protection (parameterized queries)
Rate limiting on public endpoints

Phase 5: Native Compilation

Test GraalVM native image compatibility:

# Build native executable
mvn package -Dnative

# Or with container
mvn package -Dnative -Dquarkus.native.container-build=true

# Test native executable
./target/*-runner

# Run basic smoke tests
curl http://localhost:8080/q/health/live
curl http://localhost:8080/q/health/ready

Native Image Troubleshooting

Common issues:

Reflection: Add reflection config for dynamic classes
Resources: Include resources with quarkus.native.resources.includes
JNI: Register JNI classes if using native libraries

Example reflection config:

@RegisterForReflection(targets = {MyDynamicClass.class})
public class ReflectionConfiguration {}

Phase 6: Performance Testing

Load Testing with K6

import http from 'k6/http';
import { check } from 'k6';

export const options = {
  stages: [
    { duration: '30s', target: 50 },
    { duration: '1m', target: 100 },
    { duration: '30s', target: 0 },
  ],
};

export default function () {
  const res = http.get('http://localhost:8080/api/markets');
  check(res, {
    'status is 200': (r) => r.status === 200,
    'response time < 200ms': (r) => r.timings.duration < 200,
  });
}

Run:

k6 run load-test.js

Metrics to Monitor

Response time (p50, p95, p99)
Throughput (requests/sec)
Error rate
Memory usage
CPU usage

Phase 7: Health Checks

# Liveness
curl http://localhost:8080/q/health/live

# Readiness
curl http://localhost:8080/q/health/ready

# All health checks
curl http://localhost:8080/q/health

# Metrics (if enabled)
curl http://localhost:8080/q/metrics

Expected responses:

{
  "status": "UP",
  "checks": [
    {
      "name": "Database connection",
      "status": "UP"
    }
  ]
}

Phase 8: Container Image Build

# Build container image
mvn package -Dquarkus.container-image.build=true

# Or with specific registry
mvn package \
  -Dquarkus.container-image.build=true \
  -Dquarkus.container-image.registry=docker.io \
  -Dquarkus.container-image.group=myorg \
  -Dquarkus.container-image.tag=1.0.0

# Test container
docker run -p 8080:8080 myorg/my-quarkus-app:1.0.0

Container Security Scan

# Trivy
trivy image myorg/my-quarkus-app:1.0.0

# Grype
grype myorg/my-quarkus-app:1.0.0

Phase 9: Configuration Validation

# Check all configuration properties
mvn quarkus:info

# List all config sources
curl http://localhost:8080/q/dev/io.quarkus.quarkus-vertx-http/config

Environment-Specific Checks

Database URLs configured per environment
Secrets externalized (Vault, env vars)
Logging levels appropriate
CORS origins set correctly
Rate limiting configured
Monitoring/tracing enabled

Phase 10: Documentation Review

OpenAPI/Swagger docs up to date (/q/swagger-ui)
README has setup instructions
API changes documented
Migration guide for breaking changes
Configuration properties documented

Generate OpenAPI spec:

curl http://localhost:8080/q/openapi -o openapi.json

Verification Checklist

Code Quality

Build passes without warnings
Static analysis clean (no high/medium issues)
Code follows team conventions
No commented-out code or TODOs in PR

Testing

Security

No dependency vulnerabilities
Authentication/authorization tested
Input validation complete
Secrets not in source code
Security headers configured

Deployment

Native compilation successful
Container image builds
Health checks respond correctly
Configuration valid for target environment

Native Image

Native executable builds
Native tests pass
Startup time < 100ms
Memory footprint acceptable

Automated Verification Script

#!/bin/bash
set -e

echo "=== Phase 1: Build ==="
mvn clean verify -DskipTests

echo "=== Phase 2: Static Analysis ==="
mvn checkstyle:check pmd:check spotbugs:check

echo "=== Phase 3: Tests + Coverage ==="
mvn test jacoco:report jacoco:check

echo "=== Phase 4: Security Scan ==="
mvn org.owasp:dependency-check-maven:check

echo "=== Phase 5: Native Compilation ==="
mvn package -Dnative -Dquarkus.native.container-build=true

echo "=== All Phases Complete ==="
echo "Review reports:"
echo "  - Coverage: target/site/jacoco/index.html"
echo "  - Security: target/dependency-check-report.html"
echo "  - Native: target/*-runner"

CI/CD Integration

GitHub Actions Example

name: Verification

on: [push, pull_request]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Set up JDK 21
        uses: actions/setup-java@v3
        with:
          java-version: '21'
          distribution: 'temurin'

      - name: Cache Maven packages
        uses: actions/cache@v3
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

      - name: Build
        run: mvn clean verify -DskipTests

      - name: Test with Coverage
        run: mvn test jacoco:report jacoco:check

      - name: Security Scan
        run: mvn org.owasp:dependency-check-maven:check

      - name: Upload Coverage
        uses: codecov/codecov-action@v3
        with:
          files: target/site/jacoco/jacoco.xml

Best Practices

Run verification loop before every PR
Automate in CI/CD pipeline
Fix issues immediately; don’t accumulate debt
Keep coverage above 80%
Update dependencies regularly
Test native compilation periodically
Monitor performance trends
Document breaking changes
Review security scan results
Validate configuration for each environment

← Back to Skills