Merging DAST-scan report with SAST-scan?

maxpaj · October 8, 2025, 7:53am

Version

Enterprise Edition v2025

Background

I have a SonarQube project where I’ve submitted scans from sonarqube-scanner using GitHub actions, all works fine. I can browse the code in SonarQube and see any related issues.

Now I’m trying to setup an additional scan using files from a dynamic application security testing (DAST) tool. It produces some SARIF file that contains the results from scanning the application at runtime. It does not contain any code scanning.

These two scans (code and DAST) run in two separate processes, one is running on every push to our master branch in the git repository, one is running on a time schedule.

What I expect

I want to submit this new DAST scan data into the same SonarQube project that I’ve already set up for the code scanning, so that I can browse the code and see any security issues from the DAST scan at the same time.

I expect that the scans should replace their part of the reports, since they are two completely different kinds of scans.

What I’m seeing

What I’m currently seeing is that whichever scan runs, the results completely replaces the existing results in SonarQube, it does not just update the relevant parts for the given scan.

What I’ve tried

I’ve tried adding a projectVersion parameter to the two scans, one code-scan, one dast-scan. That didn’t resolve the issue.

Is it possible to do this?

Colin · October 8, 2025, 11:49am

Hey there.

Today, it’s not possible to enrich analysis results after a scan has been submitted. All information, including external reports, must be available when the scan is run.

maxpaj · October 8, 2025, 12:21pm

Okay, in that case, the solution is to have two different SonarQube projects for that same code/application?

Colin · October 8, 2025, 7:13pm

I would normally suggest that you make sure your DAST scan is finished first, and then pass that artifact along to the build task that runs your SonarQube scan so you can have all the information in one project.

maxpaj · October 14, 2025, 12:08pm

Alright, thank you, I will look into such a solution.

The project/application I want to scan is built with .NET. I’ve followed the docs for .NET application and SonarQube scanning, so our GitHub action is doing the following:

dotnet-sonarscanner start
dotnet build
dotnet-sonarscanner end

The dotnet-sonarscanner end command will upload the results from the build. But I’d like to append the results from my DAST scan onto that report. Something like this:

Scan the code using dotnet-sonarscanner
Scan the application using my DAST tools
Gather the results from both scans and upload them to SonarQube

What would be the best approach to make that happen?

Colin · October 14, 2025, 3:12pm

Is your DAST scan currently running as a part of your GitHub actions?

Ideally, you would just make sure that runs before dotnet-sonarscanner end.

Topic		Replies	Views
Application Security Support for SAST & DAST in SonarQube Suggest new features security	4	11480	November 10, 2020
Add further analysis reports during pipeline run SonarQube Server / Community Build jenkins	1	354	December 11, 2019
How to add an external report to a past scan? SonarQube Server / Community Build sonarqube , scanner , reports	2	639	September 20, 2022
How to add scan results (OWASP ZAP) to existing task id in SonarQube Suggest new features	1	1252	December 1, 2020
External issues upload into previous scan SonarQube Server / Community Build scanner	2	487	April 25, 2019