I’ve created a sonarqube.yml file with the intention of having vulnerabilities added to the Github Advanced Security reporting. I don’t have vulnerabilities reported from Sonar in the specific repo that I created the file in, but I expected to see Sonar listed as a Tool under Code Scanning as it appears to be the case in other repos in the organization, the only difference being that those other repos use the deprecated sonarcloud-github-action workflow. Github Advanced Security is turned on in this repo and is connected to Sonar. Does Sonar no longer show up as a Tool or is this unexpected behavior?
As long as you already have a pipeline running SonarQube Cloud analysis on your main branch, there’s no need to create a new one (which you may have been guided to do when adding a tool in GitHub’s Code scanning UI).
(Running through this myself made me realize that those pipelines are outdated, and I’ll flag that for attention.)
You can find everything necessary for reporting vulnerabilities to GHAS documented here!
Once Sonar has actually reported a vulnerability to GHAS, it will show up as a tool.
By pipeline do you mean as long as Sonar is running as part of the CI analysis?
We have all repos in Sonar set up as part of CI Analysis but only a few are reporting as having the Sonar Tool enabled.
As for the Sonar Tool to only appear once a vulnerability has been reported, I have a repo that is showing the Sonar Tool but no vulnerabilities have been reported. Conversely, the repos that do have vulnerabilities reported in Sonar are not reporting the vulnerabilities to GHAS but these are also not using the workflow file which may be the pipeline you’re referring to. If that’s not the case, any idea why these discrepancies are occuring?
Assuming your project is bound, and the vulnerabilities are being raised on your main branch, no additional setup should be required. It doesn’t matter how you trigger the analysis (or which workflow file you use).
Regarding the closed issues, if an issue is solved (hence not reported by the analysis), GitHub doesn’t show it as ‘Closed’. So, this is an expected behaviour.
GitHub will report as ‘Closed’ e.g. issues marked as ‘False Positive’.
Got it, thank you! I currently have the sonarqube.yml file set up and sonar is reporting vulnerabilities but they are not showing up in the Code scanning section of the repo in Github. Should the vulnerabilities showing up on the Github side be immediate or is there a lag?
Yes, the project is on the Enterprise plan and GHAS is enabled but I’m still not seeing any results in GHAS. The project is in Sonar and is bound with CI analysis, is there anything further I need to do in order to see the results in Github?
We were on the legacy plan where we were able to use this feature, but it looks like this plan is no longer supported and we are now on the team plan that doesn’t support the integration. Thank you!
