Hi ,
We have application source code in Github and CI pipeline integrated with SonarQube running via Azure Pipeline.
Now with Github native security feature we are seeing alert
However the same through Sonar Scanner is not coming as Security hotspot or vulnerability. Could you please explain why there is a mismatch I am experiencing.
Hi Prasenjit and welcome to the community!
GitHub is warning you about a vulnerability in a dependency, so-called Software Composition Analysis (SCA). At this time we are focussing on Static Application Security Testing (SAST) though and do not provide SCA.
Welcome 
if using Sonarqube on prem, you may try the community plugin (not supported by Sonarsource)
Gilbert
Hi Hendrik ,
That makes sense now to me . Thanks for the help.
Hey Gilbert ,
Yes , we have SonarQube on prem . I will check that . Thanks .
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.
