GitHub scanning alerts not updated by SonarCloud after switching from automatic analysis to CI-based

rufer7 · April 23, 2024, 9:01pm

ALM used: GitHub
CI system used: GitHub Actions
Scanner command used when applicable: instructions (guided wizard) under SonarCloud
Languages of the repository: C# and HCL
Only if the SonarCloud project is public, the URL: GitHub - rufer7/github-sonarcloud-integration: Scan and analyze GitHub repository with SonarCloud
Error observed: after switching from automatic analysis to CI-based analysis, GitHub scanning alerts (under Security tab of the repo) are not updated even if the SonarCloud project is properly bound to the GitHub repository
Steps to reproduce:
- Push change to default branch (develop)
- GitHub action executes automatically and succeeds
- Security hotspots are not synced to GitHub code scanning alerts

Or am I wrong and only the findings listed under security in SonarCloud are synced with GitHub code scanning alerts?

Antoine · May 8, 2024, 7:47am

Sorry for the late reply here.

As you guessed, Security Hotspots are not synced as Code Scanning alerts, only Security issues are.

As you probably know, Security Hotspots are not necessarily vulnerabilities in your code, so it would be too noisy to sync them as scanning alerts.

Do you have problems syncing Security issues or is this working fine?

Cheers,
Antoine

rufer7 · May 8, 2024, 7:55am

No worries. Thanks for the reply. Then it works as expected. Thanks