Integration with sonarcloud and Github advanced security not working

Hi there! I am having issues integrating Sonar Cloud with GitHub Advanced Security on a private repository (I am a paid subscriber). Here’s a brief description of the environment and the setup:

• ALM used
  GitHub

• CI system used
  Azure DevOps

• Languages of the repository
  Terraform, YAML, Bash, Powershell

• Description of the problem

PR decoration works fine, and I do get the findings in Sonar Cloud dashboard:

image897×193 17.2 KB

… but the alerts are not showing up in GitHub Advanced Security, where I already have other tools sending findings (like Trivy). Screenshot below presents the total findings for the main branch:

image742×1318 104 KB

Any idea what I might be doing wrong?

Hey there.

Only issues related to security are synced with GitHub Advanced Security.

When you analyze a project in SonarQube, the detected security issues are displayed on the GitHub interface as code scanning alerts if set up in your system.

It looks like you only have issues related to reliability and maintainability, which are not pushed to GHAS.

Hi Colin, thanks for your reply! I had a look at what you hinted me, and it doesn’t seem to be the case:

image1128×1121 76.3 KB

Those are Security Hotspots, which don’t count. Only issues with the issue type Vulnerability are synced to GHAS.

Based on your screenshot here (0 Security), none of those issues meet that criteria!

Isn’t this configurable? I would prefer to have all the findings under the GitHub Advanced Security

It’s not configurable today. It’s not the first time we get this request

So I’ve flagged this to make sure we record the interest here.