Mandatory Comments on state transition

Using SonarQube LTS 7.9.3 …

When analyzing a Security Hotspot, a user is able to transition an issue to Reviewed (Fixed) if they determine “no security issue was found”. We would also like to be able to enforce same when marking issues as “Resolve as won’t fix” or “resolve as false positive”.

We would like to force the user to enter a Comment as to the justification for that analysis. Our objective is gain a better understanding of why users are marking the issues as such. The Comment may be a specific code or a free text string.

As an alternative, are there any controls to restrict who can transition issues to specific states?

For example, restrict that only a technical architect could mark an issue as “Won’t fix”.

It would seem both the security model and the state-transition model are too loose to do this.