Security Hotspots workflow - make comment a mandatory field when changing status

  • What are you trying to accomplish?

Security Hotspots should be reviewed and marked as “safe”. The user changing the status/resolution may leave a blank comment without justifying why the hotspot can be marked as “safe”.

We want to get this field to be mandatory or at least let the admins configure it to be mandatory in SonarCloud/SonarQube.

  • Why does this matter to you?

Because we noticed that most of the reviewers are marking hotspots as safe without writing why it is safe.

  • How would that look in SonarCloud? Alternatives?

It should be an option in admin section where the organization admins can enable the mandatory field for security hotspots.

  • How would we know it works well?

Enabling this option will allow to force comments in security hotspots reviews. We think that the result of the review should be always registered in the hotspot itself.

  • Why should it be a priority now?

Because a lot of hotspots are being closed without a comment explaining why the hotspot is marked as safe. Customers are missing a lot of security-sensitive information that should be on the reviewed hotspots.



Thanks for taking the time to express your needs.

So far, we took the approach of trusting developers, and indeed it’s not required to share a justification for why a Hotspot or an Issue is marked as “Safe” or “Won’t Fix”.
We expect developers to see the value of the raised Hotspots or Issues and that they won’t play against the rules, they won’t cheat to get a PASSED quality gate.

I understand why you would expect to force developers to put a comment. I’m just afraid about the quality of the comments you’ll get.

Anyway, let’s monitor this need and see if other users have the same.


1 Like