GitHub scanning alerts not updated by SonarCloud after switching from automatic analysis to CI-based

  • ALM used: GitHub
  • CI system used: GitHub Actions
  • Scanner command used when applicable: instructions (guided wizard) under SonarCloud
  • Languages of the repository: C# and HCL
  • Only if the SonarCloud project is public, the URL: GitHub - rufer7/github-sonarcloud-integration: Scan and analyze GitHub repository with SonarCloud
  • Error observed: after switching from automatic analysis to CI-based analysis, GitHub scanning alerts (under Security tab of the repo) are not updated even if the SonarCloud project is properly bound to the GitHub repository
  • Steps to reproduce:
    • Push change to default branch (develop)
    • GitHub action executes automatically and succeeds
    • Security hotspots are not synced to GitHub code scanning alerts

Or am I wrong and only the findings listed under security in SonarCloud are synced with GitHub code scanning alerts?

Hi @rufer7,

Sorry for the late reply here.

As you guessed, Security Hotspots are not synced as Code Scanning alerts, only Security issues are.

As you probably know, Security Hotspots are not necessarily vulnerabilities in your code, so it would be too noisy to sync them as scanning alerts.

Do you have problems syncing Security issues or is this working fine?


1 Like

No worries. Thanks for the reply. Then it works as expected. Thanks