However the same through Sonar Scanner is not coming as Security hotspot or vulnerability. Could you please explain why there is a mismatch I am experiencing.
GitHub is warning you about a vulnerability in a dependency, so-called Software Composition Analysis (SCA). At this time we are focussing on Static Application Security Testing (SAST) though and do not provide SCA.