Quality Gate Requirement for Tracking Acknowledged Security Hotspots

Eman_Harri · March 25, 2026, 12:26pm

Hello,

We have a question regarding Security Hotspots handling in Quality Gates for new code.

At the moment, we are using the Security Hotspots Reviewed metric in the Quality Gate. However, we noticed that SonarQube considers a hotspot as reviewed when it is marked as Acknowledged, Fixed, or Safe.

In our case, we want to keep track of Acknowledged hotspots separately, because these are hotspots that were reviewed and confirmed as risky, and we want them to be resolved before the PR is merged.

Is there any way to:

Add a metric or custom condition in the Quality Gate that specifically tracks Acknowledged Security Hotspots on new code, and
Fail the Quality Gate until those acknowledged hotspots are fixed?

If this is not currently supported, is there any recommended workaround to enforce this behavior? and can we want to request this feature if possible.

Thanks for your support.

Regards,

Eman

Ahmad_Hamad · March 29, 2026, 9:59am

I want to followup on this question regarding this behaviour, shouldn’t acknowledged issues be converted to security issues ?

Topic		Replies	Views
How to keep track of acknowledged security hotspots? SonarQube Server / Community Build sales_team_notified	10	2514	April 3, 2026
Security hotspot management SonarQube Server / Community Build sonarqube	3	610	December 22, 2022
Acknowledged Hotspots have no security relevance SonarQube Server / Community Build sonarqube	2	121	January 24, 2025
Quality Gate condition for Security Hotspot is not failing the check SonarQube Cloud	5	1280	March 31, 2021
Number of security hotspots metric in Quality Gate SonarQube Server / Community Build sonarqube , security , security-hotspot , quality-gate	1	616	March 24, 2023

Quality Gate Requirement for Tracking Acknowledged Security Hotspots

Related topics