Automatically Assigning Security Hotspots

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

I’m using Sonarqube 8.9.0, and I’m trying to automatically assign security hotspots.

I checked the documentation page that there is Automatic Issue Assignment for Bugs, Vulnerabilities, and Code Smells. However, it seems that there isn’t such feature for security hotspots. I’m wondering if it is possible to automatically assign security hotspots to the last committer on the security hotspot line just like how the issues are automatically assigned.


Hi @Michael_Tan, welcome to the SonarSource Community!

Security Hotspots should auto-assign just like issues do. Can you confirm that if you browse the code where a hotspot is found (browse via the Code tab in the project) that there is commit history in the margin to the left of the code? Further, confirm if the identity of the commit user shown there matches someone who has an account in your SonarQube instance. The identity (email) needs to line up for the assignment to work.

Hi Jeff. I can confirm that there is a commit history. The identity of the commit user is myself.
Screen Shot 2021-06-09 at 4.10.23 PM
Screen Shot 2021-06-09 at 4.10.46 PM

The hotspot does pick up that it was me who introduced it. However, it doesn’t automatically assign to me.

The identity also does match my email.
Screen Shot 2021-06-09 at 4.11.43 PM

Thank you for your help!

And the Assignee on the hotspot just shows what? Empty?

Is there anything set if you look in the Project Settings for Default Assignee?

The assignee just shows Not assigned.
Default Assignee under the Project Setting is empty.

Hi Michael.

The author collected from the SCM is matched with accounts’ login and email to find a SonarQube user for the auto assignment.
It looks like your SCM collected ‘Michael Tan’ as the author. I guess you’re not using git, because with git it’s generally the email that is considered to be the author.

In any case, your name is not matching the email or login. I suggest you add your name as a ‘SCM Account’ in your SonarQube’s user settings. See button ‘Add’ in the screenshot. I think it needs to be done by a SonarQube admin.



Hi Duarte,

We are in fact using git and I did some trouble shooting on my end.

We enabled SAML with google sso just a few days ago, and I had two account associated with my email mtan@… One being the google account and one being the original account created directly in sonarqube. Sonarqube wasn’t able to automatically assign the security hotspot when I had both account activated. (However it was able to automatically assign a vulnerability)

After I deactivated one of my account and have only one account associated with my email, Sonarqube was able to automatically assign the security hotspot after the next scan.

I’m unsure if this is a bug or an expected behaviour as I am getting different results regarding automatic assignment of vulnerabilities and security hotspots under the same conditions.

Thank you for your help!

1 Like

Glad you got it working.
That’s expected behavior. If there’s more than one match it won’t pick one and it will add a warning in the CE server logs.



Just another quick question, it is possible to get email notifications when a security hotspot gets automatically assigned to me?

Right now, it seems that I am only getting notifications when someone else manually assigns a hotspot to me and no notification when sonarqube automatically assigns to me.

Thank you!

I believe that you only get a notification when a hotspot gets converted to a vulnerability after being reviewed.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.