We have a bug in our current C# and VB .Net analysis. We are working on it and I will come back to you as soon as it is fixed.
In the mean time you can unblock your pull requests by ignoring external roslyn error in your project like this: Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option. The security hotspot issues will disappear the next time your pull requests are analyzed.
Just to give some context: Security Hotspot issues are meant to help security auditors when they review an application. They are created on code which is security-sensitive, i.e. code where vulnerabilities generally occur. This code doesn’t necessarily contain a vulnerability. Security Hotspot issues normally never impact the quality gate, nor should they be visible on Pull Requests.