My company is looking for a tool to scan security vulnerabilities as a part of the GitHub pipeline. According to this documentation, we need to have GitHub Advanced Security package to display security vulnerabilities inside the GitHub interface itself. But Sonar does not charge anything extra to enable the code scanning alerts feature.
As the documentation is not fully clear to me, the question is the following: Is it possible to use the SonarQube security scan as a part of the GitHub pipeline and preventing pull request merges when the quality gate fails without having the GitHub Advanced Security package? I guess, we can see found security vulnerabilities on the SonarQube interface instead of the the GitHub interface.
Yes, as you observed: