feat: add scanCodeQuality var for SonarQube scanning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

vars/scanCodeQuality.groovy

@@ -0,0 +1,33 @@
+/**
+ * Runs sonar-scanner via npx inside current container.
+ * Must be called inside container('node') block.
+ *
+ * config keys:
+ *   projectKey (required) - SonarQube project key
+ *   sonarUrl   (optional) - SonarQube server URL, default: http://sonarqube-sonarqube.sonarqube.svc.cluster.local:9000
+ *   credId     (optional) - Jenkins secret-text credential id, default: sonarqube-token
+ *   sources    (optional) - sources to scan, default: .
+ *   exclusions (optional) - comma-separated paths to exclude
+ */
+def call(Map config) {
+    def projectKey = config.projectKey
+    if (!projectKey) error('scanCodeQuality: projectKey is required')
+
+    def sonarUrl   = config.sonarUrl   ?: 'http://sonarqube-sonarqube.sonarqube.svc.cluster.local:9000'
+    def credId     = config.credId     ?: 'sonarqube-token'
+    def sources    = config.sources    ?: '.'
+    def exclusions = config.exclusions ?: ''
+
+    def exclusionsArg = exclusions ? "-Dsonar.exclusions=${exclusions}" : ''
+
+    withCredentials([string(credentialsId: credId, variable: 'SONAR_TOKEN')]) {
+        sh """
+            npx sonar-scanner \
+              -Dsonar.projectKey=${projectKey} \
+              -Dsonar.sources=${sources} \
+              -Dsonar.host.url=${sonarUrl} \
+              -Dsonar.token=\${SONAR_TOKEN} \
+              ${exclusionsArg}
+        """
+    }
+}