- What are you trying to accomplish?
Security Hotspots should be reviewed and marked as “safe”. The user changing the status/resolution may leave a blank comment without justifying why the hotspot can be marked as “safe”.
We want to get this field to be mandatory or at least let the admins configure it to be mandatory in SonarCloud/SonarQube.
- Why does this matter to you?
Because we noticed that most of the reviewers are marking hotspots as safe without writing why it is safe.
- How would that look in SonarCloud? Alternatives?
It should be an option in admin section where the organization admins can enable the mandatory field for security hotspots.
- How would we know it works well?
Enabling this option will allow to force comments in security hotspots reviews. We think that the result of the review should be always registered in the hotspot itself.
- Why should it be a priority now?
Because a lot of hotspots are being closed without a comment explaining why the hotspot is marked as safe. Customers are missing a lot of security-sensitive information that should be on the reviewed hotspots.