How do I get SonarCloud to detect vulnerabilities?

Hi all. I am new to Sonar Cloud. I am attempting to get sonarcloud to detect vulnerabilities.

using Git Hub, The intention is to scan with Git Hib actions. The project is Java built on gradle. It’s a private repository. I have initiated a sonar project with default sonar way quality gate and bound it to the repo.

My build.gradle as follows

plugins {
    id 'java'
    id 'io.freefair.lombok' version '6.6.2'
    id 'application'
    id 'org.springframework.boot' version '2.7.18'
    id 'io.spring.dependency-management' version '1.1.3'
    id 'nu.studer.jooq' version '8.2.1'
    id 'com.avast.gradle.docker-compose' version '0.17.1'
    id "org.sonarqube" version ""

sonar {
  properties {
    property "sonar.projectKey", <my Key>
    property "sonar.organization", "< my Organization>
    property "", ""

Running gradle build or gradle sonar does run an analysis. It’s found bugs and code smells. However it has not picked up any vulnerabilities. I know there are vulnerabilities in the repo because the AWS scanner reports them. Many of these vulnerable libraries are pulled in through the docker image (as opposed to being accessed directly in the code).

Here is the docker file.

FROM debian:trixie-slim AS deps

RUN apt-get update && apt-get install -y wget

RUN wget -O dd-java-agent.jar

FROM as builder
WORKDIR /service
ARG JAR_FILE=build/libs/<My Jar File>

COPY ${JAR_FILE} <My Jar File Location>
USER root
RUN ["java", "-Djarmode=layertools", "-jar", <My Jar File>, "extract"


WORKDIR /service
COPY --from=deps /work/dd-java-agent.jar ./dd-java-agent.jar
COPY config ./config

COPY --from=builder service/spring-boot-loader/ ./
COPY --from=builder service/dependencies/ ./
COPY --from=builder service/snapshot-dependencies/ ./
COPY --from=builder service/application/ ./


ENTRYPOINT ["java", "org.springframework.boot.loader.JarLauncher"]

I know the debian distribution contains numerous vulnerabilities. Is it possible for sonar cloud to scan the dockerfile so detect them? If so how do I configure it?

bump. At a more basic level has anyone been able to use sonar cloud to detect vulnerabilities that are pulled in through a docker image? Please let me know if you have, thank you in advance. My organization would really like to use sonar as our primary tool to detect vulnerabilities.


Is this about dependency scanning? SonarCloud does SAST / static analysis, not SCA.