Version: SonarQube 9.5 Community Edition With SonarQube 9.4, the ability to review and acknowledge security hotspots was added: https://portal.productboard.com/sonarsource/3-sonarqube/c/184-track-security-hotspots-that-represent-real-risks-to-fix-later Just looking into this feature in more detai…

This is definitely a major failing in the product IMO - just because you have acknowledged an issue exists does not mean the code is suddently more secure - that will only happen when the issue is actually fixed. Currently “acknowledged” essentially makes the issue disappear from all security repor…

Bump - this is still an issue in SQ 9.9

I want to bring this still existent issue up again (screenshots from SQ 10.2.1). Example for current state: We have a project where we reviewed all Security Hotspots, set some to safe and 6 to acknowledged. [image] SonarQube itself says about the acknowledged status that it “does pose a risk” a…

Hi @ganncamp - sorry to tag you directly, but you’ve been very helpful on a lot of topics over the years. How can we get someone from the product team to at least take a look at this issue? Maybe there’s something we’re all missing in the SonarQube configuration or UI that already addresses this? C…

Hi @cba , Thank you for raising this. It is an issue we are aware of, but we don’t have anything in our near-in roadmap to address it. You might be able to use the API to create reporting that somewhat helps with this, but it isn’t an ideal solution. Best regards John

A few days ago we discovered that security hotspots flagged as “Acknowledged” is not showing up in any reports or dashboards. How is it possible that a product created to secure code instead hides code issues? And that a fix is not in the roadmap? Knowing about this potentially critical issue, and…

Definitely disappointing that, several years after it was flagged, there are still no plans to addres this problem. It continues to make no sense to me that a product that makes a “thing” about security hotspots such that they are treated separately from “regular” issues because they are potential…

This is indeed very unexpected. We have projects with a perfect Security Review Rating A and a Security Rating A, but dozens of “acknowledged” security hotspots. Can we get at least another Quality Gate condition, so that we can check for acknowledged security hotspots? (I think ideally, acknowled…

I totally agree with you. We are phasing out the concept of Security Hotspots as announced here .

How to keep track of acknowledged security hotspots?

SonarQube Server / Community Build

cba (Chris) August 26, 2022, 10:29pm 4

Bump - this is still an issue in SQ 9.6.

How do I find and keep track of acknowledged security hotspots across projects?

Topic		Replies	Views
Security hotspot management SonarQube Server / Community Build sonarqube	3	610	December 22, 2022
Acknowledged Hotspots have no security relevance SonarQube Server / Community Build sonarqube	2	120	January 24, 2025
Quality Gate Requirement for Tracking Acknowledged Security Hotspots SonarQube Server / Community Build me-too	1	24	March 29, 2026
Security Hotspots that has been marked safe is not reported SonarQube Server / Community Build sonarqube	8	143	September 12, 2024
Fixing/Suppressing Hotspots doesn't improve Security Review Rating SonarQube Server / Community Build security-hotspot	7	2730	January 25, 2023

How to keep track of acknowledged security hotspots?

Related topics