Hi, I configured my sonarqube new code to compared to a branch. My quality gate only has one condition, which checks if the security rating of new code is less than A. Theoretically, if the new code I add contains vulnerabilities, the scan should fail. However, the scan succeeds every time but the number of vulnerabilities in overall code is increasing. Why is this?
I am seeing some findings in MR scan but not new code. What’s the different between MR and new code? If I am merging everything to main and set the new code definition to comparing to main branch, will that result in not seeing anything in new code?
My guess is still that it’s because I’m merging everything to main branch and I’m using the main branch as the comparison base for new code so it shows no findings.
Coverage is not what concerned me. It’s the fact that there is no bugs, vulnerabilities or security hotspots count. But I think it is probably expected based on my configuration.