Security Hotspots: a dedicated space to perform efficiently your security reviews

Hello SonarCloud Users,

Security Hotspots are security-sensitive pieces of code, and we’ve been raising Security Hotspot issues in your projects for a while now. While Security Hotspots look like issues, they aren’t and because they are not issues, they deserve a dedicated space and workflow.
With the recent changes we made in SonarCloud, we give you the review interface you need to work through the Security Hotspots in your code, evaluating whether or not each one is fine or require a code change.

In this new interface:

  • Security Hotspots are ordered so you don’t need to ask yourself from where to start
  • dedicated documentation guide you through the review process: What’s the risk? Are you at risk? How can you fix it?
  • we help you track your progress with the new Security Hotspot Review rating - for each Security Hotspot you assess, you’ll see the project’s rating improve in real time
  • the workflow is simple - it’s no longer required to transform a Security Hotspot into a Vulnerability to act on it - an action can be taken directly: Fixed or Safe

On top of this new UI, the default Quality Gate “Sonar Way” has been changed to enforce the idea that a security review should be performed and it should start from Security Hotspots raised on the New Code.



A post was split to a new topic: Security Hotspots: can’t assign hotspot

A post was split to a new topic: How to deactivate some Security Hotspots?