Security hotspot issues fail quality gate


in SonarQube 7.4 issues of type Security Hotspot seem to fail quality gates defined on the issue metrics (blocker issues, critical issues, etc.). As I understand the documentation (, this should only happen when a security hotspot issue has been marked as detected. This would be consistent to the issues view, where issues of type Security Hotspot are hidden.

Is this a bug, or am I missing something here?

Best regards

1 Like

[EDIT: I had misunderstood the original question. This answer is not related to it]

Hi @stephan.schuster,

Thank you for your feedback.

There is indeed a bug in version 7.9 of SonarC# and SonarVB which was released last week. Just as you said, Security Hotspots should never impact the quality gate, except when they are “detected” as Vulnerabilities. We are currently working on a fix.

The bug report is available here:

In the mean time you can either:

  • revert to the previous version of the SonarC#/SonarVB plugin.
  • deactivate external roslyn issues like this: Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option.
  • Create a copy of the SonarWay Quality Profile and disable the Security Hotspot rules for C# and VB .Net.

I would personally recommend the second option as it can easily be reset once we release a fixed plugins.

We apologize for the inconvenience.

I will let you know as soon as the plugins are fixed.

Best regards,

Hi Nicolas,

thanks for the quick reply.

I have forgotten to mention that the problem occurs with java projects. Do you know of a similar bug in the Java analyzer? We are using version 5.9.2 (build 16552).

Many thanks in advance & best regards,

Excuse me as I have misunderstood your first question and my answer was not related to your problem.

You are right that Security Hotspots should never impact the Quality Gate, whatever the language used. I created the corresponding ticket:

In the meantime you can use the “blocker issues” metric in your quality gate, as security hotspots never have this severity level. It is also possible to use “Bugs”, “New Bugs”, “Code Smells”, etc… metrics.

I hope this answers your question.

Best Regards,

Thanks for your help!

Best regards,

Hi Nicolas,

I think still some security hotspot issues exist in sonar.

Is the above issue is fixed in sonar?


Hi @Ramya_Akula,

The issue mentioned above has been fixed.
Could you describe your problem, preferably in a separate topic?


Hi Nicolas,

Please find my new topic link,

Could you please help me.


Hi Ramya,

Please don’t cross-post the same issue in multiple topics.


Hi @ganncamp,

Sorry for the confusion. I was the one asking for a different thread as the problem was probably not related to this one.

@Ramya_Akula Thank you for creating the other tread. The problem is indeed different, I’ll reply there.

1 Like

Sorry Ramya!