Hello, welcome to the community! And thank you for your question.
To be accurate, Security Hotspots won’t appear in SonarLint in the on-the-fly analysis results.
However, with SonarQube 8.6, you should see this button when browsing a security hotspot on the server:
If IntelliJ IDEA (or any supported IntelliJ-based IDE) is started and SonarLint is enabled, it should show the hotspot in the relevant file, with the appropriate context information to let you decide which course of action to take.
Please also note that this feature is available in the latest SonarLint for Visual Studio, coming soon for VSCode.